FinOps Without the Walk of Doom — meet the AWS FinOps Agent

The Walk of Doom Is Over: Automating Cost Investigations with the AWS FinOps Agent

The old way: the "walk of doom"

Controlling costs and investigating cost incidents in AWS used to be a tedious process. Why? Well, picture this: you get a $5,000 bill for CloudTrail, but Cost Anomaly Detection flags it as low severity, the notification never reaches you, and it quietly goes unnoticed for a couple of days.

By the time you do notice, here's the ritual you're stuck with:

1. First, you receive a budget alarm.
2. Then you ask yourself how? — and double-check whether this was a forecast or an actual.
3. It was actual. You start to panic, and the walk of doom begins: analyse costs in Cost Explorer → stare at the bill → "oh, there was a Cost and Budgets report" → back to Cost Explorer to filter by service and hunt down the troublemaker.
4. You finally found it. Now the real question — why, and how did it get triggered? Off you go to CloudTrail.

Enter the AWS FinOps Agent

AWS solved all of this by introducing the AWS FinOps Agent. It automates FinOps reports and alerts, and those alerts can be wired into Slack or Jira Cloud.

Now you might say: "Look, I'm an experienced FinOps practitioner, I'm not like you, and I do things my own opinionated way." Fair enough — and that's exactly the point. As an experienced practitioner, you can feed the agent context and it will enhance your skills, producing a personalised report easier than ever before. You can finally nail those stakeholder presentations and focus on the things you always wanted to focus on: cost, or even cost per customer, or cost per bet.

Okay, enough marketing. Let's see how it actually works.

Setting it up

1. Create the agent

First, create an agent with a name that follows your naming convention. In my case:

2. Create the roles

Next, you're invited to create two roles: the agent role and the agent operator role. You can customise them to follow your internal standards, or leave it to the wizard. If you let the wizard handle it, it attaches the following managed policies:

• FinOpsAgentRole → FinOpsAgentAgentPolicy
• FinOpsAgentOperator → FinOpsAgentOperatorPolicy

3. Select integrations

Pick your integrations. For Slack, you'll need to be a workspace admin — or ask your admin to approve the AWS FinOps Agent – US East Slack app.

4. Give it context

This is where it gets interesting. Remember how I said it enhances experienced practitioners? The agent lets you give it context — including which teams are responsible for which accounts. When I opened the web interface, I added the following two files as context.

owners.csv

account_id,team_name,team_lead,email
012345678910,senior devops,Мартин Нанчев,finops-lead@example.com

context.md

# Custom instructions: anomaly notification routing

## Owner attribution
- Use the account-to-owner mapping context file to attribute all cost
  anomalies and spend changes to the owner of the affected account.
- Account 012345678910 is owned by Martin Nanchev (senior devops).

## Slack notification behavior
- When posting a cost anomaly investigation or cost report to Slack,
  begin the message with a line that notifies the responsible account owner.
- For account 012345678910, start the Slack message with: <@U0BA80JFFRP>
- Follow the mention with a one-line summary: affected account, owner name,
  estimated cost impact, and the anomaly trigger.

## Scope
- Apply this only to Slack posts for cost anomalies and scheduled cost reports.
- Do not include personal email addresses in any Slack message body.

Taking it for a spin

Investigating a real anomaly

With the initial configuration in place, let's investigate a cost anomaly I actually had in March 2026 with Amazon Bedrock (Sonnet).

A curious caveat: here the agent claims it can't search CloudTrail. Yet when I tested the exact same thing at work, in our dev organisation, it happily pulled data from CloudTrail. So I'm assuming it is possible — for some reason it works at work but not in my personal account. If you know why, drop a comment.

Preparing and sending the report

Let's prepare the report and send it to Slack:

And here's how it lands in Slack:

The report itself looks like it was generated straight from a CUDOS dashboard.

Tagging account owners

Can it tag account owners based on owners.csv and context.md? Of course — that's their whole purpose. Here's what it looks like:

Scheduling weekly automation

Last question: can you schedule an automation that posts anomalies to Slack every single week? Again — of course.

Here's an example prompt:

Analyse my top 3 cost drivers for the past 7 days. Include a breakdown by service and highlight any anomalies compared to the previous period. Notify the account in Slack.

And once again, it looks amazing — like a real dashboard.

Stress-testing it for optimisation tips

Now let's put it under a bit of stress. My personal account sits at a whopping $20–$60 a month (or $0 with AWS credits), so let's ask the agent for cost optimisation suggestions for Amazon Bedrock. It returns some solid best practices right away:

Wrapping up

And just like that, the walk of doom collapses into a single prompt. The AWS FinOps Agent won't replace your FinOps instincts — but feed it the right context and it absolutely sharpens them, turning hours of Cost Explorer archaeology into a report that practically writes itself.

Give it a try in a dev account, throw your own owners.csv and context.md at it, and let me know in the comments how it goes.