DEV Community: Mahesh

Cost-Sentry: Optimizing AWS Spend with AI-Driven FinOps Auditing

Mahesh — Fri, 13 Feb 2026 18:04:21 +0000

What I Built

In a sprawling cloud environment, "zombie" resources specifically unattached EBS volumes are a silent drain on the budget. As a Cloud Architect, I wanted to build a tool that doesn't just manage infrastructure but optimizes its cost.

I built Cost-Sentry, a FinOps agent that identifies unattached EBS volumes and calculates their financial impact. It uses the GitHub Copilot CLI as a reasoning engine to generate complex Boto3 auditing scripts, which are then used to produce immediate, actionable saving reports.

Demo

The tool is designed for high-velocity cost audits and is now part of my public GitHub portfolio.

🔗 GitHub Repository: https://github.com/mpawar006/cost-sentry

Cost-Sentry in Action

The tool scans for volumes in the available state and applies a standard rate of $0.10 per GB/month to estimate waste.

Figure 1: Cost-Sentry successfully identifying 20GB of unattached storage waste.

Financial Impact Detected:

Total Volumes Audited: 2
Total Wasted Capacity: 20 GB
Potential Monthly Savings: $2.00

My Experience with GitHub Copilot CLI

Building this fourth project on my local machine solidified how AI can be a force multiplier for cloud management.

Logic-Driven Prompt Engineering: Unlike standard code-gen, I used a structured cost_library.json to feed specific financial archetypes into the GitHub Copilot CLI. This allowed the AI to focus on the mathematical reasoning required for cost estimation rather than just boilerplate code.
The "Safety-First" Approach: A major takeaway from this challenge was ensuring AI-driven velocity doesn't bypass safety guardrails. I engineered Cost-Sentry as a read-only auditor, proving that AI agents can be highly impactful without needing high-risk permissions.
FinOps Visibility: The CLI allowed me to quickly prototype the logic needed to parse deeply nested AWS resource metadata and transform it into a clean, human-readable terminal table using the tabulate library.

Kube-Guardian: Hardening Kubernetes with AI Powered Security Auditing

Mahesh — Thu, 12 Feb 2026 15:00:13 +0000

What I Built

In modern DevOps, velocity often comes at the cost of security. As a Cloud Architect, I’ve seen developers rely on AI to quickly generate Kubernetes YAML, only to accidentally include "risky" defaults like privileged containers or missing resource limits.

I built Kube-Guardian an agentic security framework that enforces a "Trust but Verify" workflow. It bridges the gap between AI driven manifest generation and production-grade security standards by using the GitHub Copilot CLI to reason through security scenarios, followed by an instant, automated Python based audit engine.

Demo

The project is open-sourced and includes pre-defined security archetypes to test both "Secure" and "Risky" paths.

Figure 1: AI-driven hardening of an Nginx manifest passing all 3 security gates.

Figure 2: Kube-Guardian correctly identifying and failing a risky Postgres deployment.

🔗 GitHub Repository: https://github.com/mpawar006/kube-guardian

Kube-Guardian in Action

1. AI-Driven Hardening:
Using the Copilot CLI, the tool generates a hardened Nginx manifest that implements non-root execution and strict resource constraints.

2. Automated Security Gates:
The auditor validates every manifest against three critical production gates: Privileged Mode, Resource Limits, and Non-Root Execution.

Results:

✅ Secure Path (Nginx): nginx: No Privileged Mode -> PASSED
❌ Risky Path (Postgres): postgres: No Privileged Mode -> FAILED

My Experience with GitHub Copilot CLI

Integrating the GitHub Copilot CLI into a Kubernetes workflow was a significant technical journey on my local machine.

Prompting as Architecture: I used Copilot not just for code completion, but as a Reasoning Engine. By passing structured scenarios from a guardian_library.json, I was able to treat the CLI as a programmatic backend for complex infrastructure decisions.
Impact on Security: The CLI allowed me to quickly prototype secure configurations (like dropping capabilities and preventing privilege escalation) that would typically require searching through pages of Kubernetes documentation.

IAM Sentinel: Bridging AI Reasoning with AWS Security Compliance

Mahesh — Mon, 09 Feb 2026 15:55:24 +0000

What I Built
As a Cloud Architect, the principle of Least Privilege is my guiding star, but writing manual IAM policies is often a bottleneck that leads to "security debt." I built IAM Sentinel an AI powered agentic framework that bridges the gap between high-level architectural requirements and verified cloud security code.

IAM Sentinel uses the GitHub Copilot CLI to "reason" through security scenarios and generate precise JSON policies. To ensure these policies aren't just plausible but technically sound, I integrated a validation layer using Boto3 and the AWS IAM Policy Simulator, creating a complete "Generate -> Validate -> Report" cycle for security-as-code.

Demo
The project is fully open-sourced and documented to be "cloned and run" for anyone with AWS credentials and the Copilot CLI.

Figure 1: GitHub Copilot CLI reasoning through the S3 scenario.

Figure 2: Automated validation via Boto3 and AWS IAM Policy Simulator proving the policy is functionally correct.

Figure 3: The final generated Markdown audit report summarizing the verified permissions for stakeholders.

🔗 GitHub Repository: https://github.com/mpawar006/iam-sentinel

Sentinel in Action

The Request: python iam_sentinel.py --scenario s3_read_write
The Logic: Copilot CLI analyzes the scenario and generates a scoped policy distinguishing between bucket-level (ListBucket) and object-level (GetObject/PutObject) permissions.
The Proof: The tool automatically triggers the AWS Policy Simulator to verify the JSON.

Sample Audit Report Output:

AWS Action	Resource Target	Status
s3:ListBucket	`arn:aws:s3:::sentinel-data-storage`	✅ ALLOWED
s3:GetObject	`arn:aws:s3:::sentinel-data-storage/test.txt`	✅ ALLOWED

My Experience with GitHub Copilot CLI
Integrating the GitHub Copilot CLI into a Python automation suite was a masterclass in modern agentic development.

Impact on Speed: I spent significantly less time looking up specific S3 Action names (was it s3:List or s3:ListBucket?). Copilot handled the "syntax heavy lifting," allowing me to focus on the architectural logic.
Prompting as Architecture: I used Copilot not just for code completion, but as a Reasoning Engine. By passing structured scenarios from a policy_library.json, I was able to treat the CLI as a programmatic backend for security decisions.
Overcoming Hurdles: I encountered some syntax evolutions with the -i and -p flags in the 2026 version of the CLI. Debugging these through subprocess gave me a deeper understanding of how the Copilot extension manages interactive vs. non-interactive sessions, eventually settling on a robust wrapper that ensures reliable execution.

Sentinel CLI: A Self-Healing AWS Monitoring Agent Powered by GitHub Copilot

Mahesh — Sun, 08 Feb 2026 20:53:50 +0000

What I Built
I built Sentinel CLI, a Python-based intelligent agent designed to bridge the gap between cloud infrastructure monitoring and automated remediation. It uses boto3 to scan the us-east-1 region for stopped EC2 instances and, rather than just alerting, it utilizes the GitHub Copilot CLI to reason and suggest the exact CLI commands needed to restore the service.

Demo
GitHub Repository: https://github.com/mpawar006/sentinel-cli

My Experience with GitHub Copilot CLI
Building this project on my ThinkPad T490 highlighted the power of "Agentic DevOps."

Intelligent Reasoning: I integrated my Python script directly with the Copilot CLI using subprocess. This allowed the script to pass context to the AI and receive sophisticated, production-ready AWS commands in return.
Problem Solving: During development, Copilot helped me resolve Windows-specific UTF-8 encoding issues so that my terminal alerts (🚨) and formatting looked professional and clear.
Human-in-the-Loop: The CLI's interactive nature allowed me to build a secure approval flow, ensuring that an architect always verifies a "healing" command before execution.