Spend Monitor

Monitor spending on cloud environments to quickly identify unauthorized usage.

Introduction

Unusual increases in spending on your environments can indicate security incidents, for example denial of wallet attacks. You can monitor spending regularly and set thresholds to receive alerts when unusual spending occurs.

Note Spend monitoring data is not available in Sophos Cloud Optix for Azure subscriptions billed through Microsoft Cloud Solution Provider (CSP) plans.

Setting up environments for Spend Monitor

Spend Monitor must be turned on for each environment. It may already be turned on, depending on the environment type and when you added the environment to Sophos Cloud Optix. Once Spend Monitor is turned on you can set alert thresholds for each environment in Compliance.

Check what you need to do as follows:

  • AWS environments: depending on when you added the account to Sophos Cloud Optix, you may need to add permissions in AWS so that Sophos Cloud Optix can access spend information. See Detailed set up instructions for AWS Environments.
  • Azure environments: no additional permissions are required to allow Sophos Cloud Optix to access spend information. You may still need to turn on Spend Monitor in Sophos Cloud Optix.
  • GCP environments: you must turn on Cloud Billing exports to BiqQuery in your Google account before you turn on Spend Monitor in Sophos Cloud Optix. See Export Cloud Billing data to BigQuery for more details. When Google has created a table containing billing information, go to Settings > Environments in Sophos Cloud Optix, enter the dataset and table name provided by BigQuery, then turn on Spend Monitor.

Detailed set up instructions for AWS environments

You must add the required permission to your AWS account before turning on Spend Monitor. Do as follows:

  1. In your AWS console, go to your AWS account.
  2. In Roles, select Avid-Role.
  3. Click Add Inline Policy.
  4. In Service, select Cost Explorer Service.
  5. In Action, under Read, select GetCostAndUsage.
  6. Name the policy and click Create.

Go to your Sophos Cloud Optix console to turn on Spend Monitor.

Turn on Spend Monitor in Sophos Cloud Optix

Once a cloud environment has been set up to link with Spend Monitor you must turn it on in Sophos Cloud Optix. For each environment do as follows:

  1. Click Settings.
  2. Click Environments.
  3. Click the edit icon edit icon for the environment where you want to turn on spend monitoring.
  4. Switch spend monitoring on.
  5. Click Save.
  6. Click Spend Monitor to see daily and monthly graphs and lists of spending on services.

Once Spend Monitor is turned on, the page provides the following:

  • A graph of daily spend across AWS, Azure and GCP environments. Choose to see daily spend for all environments, or select a specific environment. Click the graph to see the top environments by spend on any day, and the top services that contributed to the spend on that day. Zoom out to see the daily spend for each day over the last 60 days.
  • A graph of monthly spend over the last 6 months. Click the graph to see the top environments by spend in any month, and the top services that contributed to the spend in that month.
  • A table showing the environments contributing most to your cloud spend, and the top services in terms of spend for those environments, for the current calendar month.

You can also set spending thresholds for individual environments in Compliance.