How Dedicated Account Delegation Helped CrowdStrike Manage Costs

CrowdStrike, a leader in cloud-delivered endpoint and workload protection, provides comprehensive security solutions to organizations worldwide. As CrowdStrike’s IT department scaled their AWS environment, they faced a critical challenge. They needed to limit management (also known as payer account) account access while enabling effective Cloud Financial Management.

CrowdStrike’s IT FinOps team required comprehensive access to cost management tools. They needed AWS Cost Explorer, AWS Cost Optimization Hub, and AWS Compute Optimizer. The team also needed permissions to purchase AWS Savings Plan and AWS Reserved Instance. However, organization-wide visibility typically requires management account access. This conflicted with CrowdStrike’s security requirements.

Taking a Security-First Approach to Cloud Financial Management

In an AWS Organization, the management account is the AWS account that owns and pays for all the other member accounts. This account allows you to create accounts in the organization, invite existing accounts, remove accounts, designate delegated administrators, manage invitations, apply policies, and enable integration. CrowdStrike addressed their challenge by creating a dedicated FinOps admin account in their AWS Organizations.

This new AWS account within their organization maintained least-privilege permissions while providing comprehensive cost management capabilities. The solution delivered three key benefits:

•     Clear separation between security and financial management functions

•     Centralized cost management activities in a dedicated environment

•     Scalable foundation for future organizational growth

“By implementing a dedicated FinOps admin account, we’ve eliminated the need for management account access while improving our team’s ability to optimize cloud spending. This has transformed how we manage our cloud costs while maintaining our stringent security standards.” – [Quote from Lorenzo Orsatti, Director, IT DevOps and Infrastructure, CrowdStrike]

Technical Implementation: A Step-by-Step Guide

CrowdStrike’s implementation strategy focused on interconnected tracks that worked together to create a robust and secure FinOps environment. Below is the detailed technical guidance for implementing a similar solution.

Step 1: Define Your FinOps Service Requirements

Before creating the dedicated FinOps admin account, identify the AWS services your FinOps team requires. CrowdStrike’s implementation included access to the following core services:

•  AWS Cost Optimization Hub centralizes over 18 types of AWS cost optimization recommendations, including EC2 instance rightsizing recommendations, idle resource recommendations, and Savings Plans opportunities across your entire organization.
• AWS Compute Optimizer provides machine learning-powered right-sizing recommendations for EC2 instances, Auto Scaling groups, and other compute resources. This service analyzes historical utilization patterns to recommend optimal instance types and sizes.
• AWS Savings Plans management capabilities enable the team to analyze, purchase, and monitor commitment-based discount programs. This includes both Compute Savings Plans and EC2 Instance Savings Plans as well as SageMaker Savings Plans to maximize cost savings across the organization.
• AWS Cost and Usage Reports (CUR) deliver comprehensive cost data export capabilities for advanced analysis. This service enables integration with external tools and provides the granular data needed for sophisticated cost allocation and chargeback processes.
• AWS Cost Explorer: Custom Billing Views enables you to grant member accounts in your organization access the cost and usage view spanning multiple member accounts.

Step 2: Implement Consolidated IAM Architecture and Service Delegation

IAM Role Foundation

The implementation begins with creating a new IAM role in the dedicated FinOps account that enables all necessary cost optimization activities. This role combines AWS-managed policies with custom permissions to provide necessary capabilities.

The AWS-managed policies provide baseline functionality:

·     Billing job function for essential billing access

·     AWSSavingsPlansFullAccess for commitment management

·     ComputeOptimizerReadOnlyAccess for optimization recommendations

·     CostOptimizationHubAdminAccess for centralized optimization dashboard

Service Delegation Implementation

Service delegation represents the technical foundation that enables organization-wide visibility without requiring direct management account access. CrowdStrike implemented delegation for multiple AWS services using AWS CLI commands.

• Cost Optimization Hub Delegation: CrowdStrike first enabled trusted service access for Cost Optimization Hub within their AWS Organization:

aws organizations enable-aws-service-access --service-principal cost-optimization-hub.bcm.amazonaws.com

• They then registered their dedicated FinOps account (123456789012) as the delegated administrator:

aws organizations register-delegated-administrator --account-id 123456789012 --service-principal cost-optimization-hub.bcm.amazonaws.com

This delegation enables the FinOps team to identify, filter, and aggregate over 18 types of AWS cost optimization recommendations across the entire organization, including EC2 instance rightsizing, idle resource identification, and Savings Plans opportunities.

• Trusted Advisor Delegation: Similar delegation was established for AWS Trusted Advisor to provide organization-wide access to best practice recommendations:

aws organizations enable-aws-service-access --service-principal trustedadvisor.amazonaws.com
aws organizations register-delegated-administrator --account-id 123456789012 --service-principal trustedadvisor.amazonaws.com

• Compute Optimizer Delegation: For comprehensive right-sizing recommendations across the organization:

 aws organizations enable-aws-service-access --service-principal compute-optimizer.amazonaws.com
 aws organizations register-delegated-administrator --account-id 123456789012 --service-principal compute-optimizer.amazonaws.com

In addition to implementing access to above services, CrowdStrike also took steps to enhance the FinOps team’s ability to manage costs. This included creating Custom Billing Views to grant the FinOps account access to the entire organization’s cost management data, enabling them to leverage tools like AWS Cost Explorer and create detailed budgets. Furthermore, CrowdStrike implemented Savings Plan Full Access allowing them to effectively manage Savings Plans resources across the organization.

Step 3: Configure Governance and Approval Workflows

CrowdStrike established structured governance processes to balance efficiency with appropriate oversight. For example, the organization developed a centralized Savings Plans approval workflow where all purchase requests—regardless of the originating team—must be submitted to the FinOps team. The FinOps team then uses their access from the dedicated account to validate requirements and execute purchases, ensuring consistent governance over financial commitments without exposing the management account to broader access.

The process begins with the FinOps team gathering recommendations using the delegated Cost Optimization Hub access. These recommendations leverage machine learning algorithms to analyze historical usage patterns and identify optimal commitment opportunities.

The FinOps team creates comprehensive purchase proposals that include projected savings analysis, commitment terms, risk assessments, and implementation timelines. These proposals undergo Finance team review and approval, ensuring alignment with organizational budget and cash flow requirements.

Upon approval, the FinOps team executes purchases through their delegated permissions, with automated notifications sent to both teams to maintain transparency and accountability throughout the process.

Establishing Organizational Best Practices

Beyond the technical implementation, CrowdStrike recognized the importance and implemented strict permissions by conducting regular reviews of users with access to the FinOps account and making appropriate adjustments—adding or removing users and updating permissions—as roles evolved over time.

The organization established comprehensive monitoring and compliance measures, including automated AWS CloudTrail logging to track all API calls and AWS Config rules to monitor permission changes in real-time. They maintained detailed documentation covering implementation specifics—such as IAM policy templates, role definitions, and account structure diagrams—and created role-based training programs (separate tracks for developers, DevOps engineers, and security teams) to ensure members understood both capabilities and limitations. For example, developers learned how to request temporary elevated permissions through a self-service portal, while security teams understood how to audit and revoke access within 24 hours. Clear escalation procedures were established, such as routing permission-related issues to the security team and critical compliance violations directly to leadership, ensuring problems could be resolved quickly without compromising security or operational efficiency.

Conclusion

CrowdStrike’s implementation of a dedicated FinOps admin account demonstrates that organizations can achieve efficient cost management while limiting management/payer account access. Their approach provides a clear framework that other organizations can adapt for their own environments, particularly those operating at scale where both cost management complexity and security requirements are high.

Looking ahead, CrowdStrike continues to explore opportunities to enhance their cost management capabilities, including deeper integration with internal systems and advanced automation of optimization processes.