Uncover Hidden AWS Costs: A Guide to Spotting Idle Resources

Victor Grenu
September 24, 2024

As an AWS consultant, I often see clients struggling with unexpected costs. Let’s explore how to find and eliminate these hidden expenses.

Why This Matters

AWS is great for experimenting, but it’s easy to forget about resources you’ve spun up.
You pay for what you use in the cloud, even if you’re not actively using it.
There are no default billing alerts, so costs can creep up without you noticing.
With 32 AWS regions, it’s hard to keep track of everything manually.

Benefits of Finding Idle Resources

Save money
Reduce security risks
Lower your carbon footprint

How to Find Idle Resources

EC2 Instances

Look at CloudWatch metrics like CPUUtilization and NetworkPacketsIn/Out. If these are very low for a while, the instance might be unused.

RDS Instances

Check the DatabaseConnections metric. If it’s zero for a week, the database might be idle.

EBS Volumes

Find “available” volumes that aren’t attached to any instances:

aws ec2 describe-volumes --query "Volumes[?State=='available'].[VolumeId,Size]" --output table

EBS Snapshots

Identify snapshots older than 90 days:

DATE_90_DAYS_AGO=$(date -u -d "90 days ago" +'%Y-%m-%dT%H:%M:%S')
aws ec2 describe-snapshots --owner-ids YOUR_AWS_ACCOUNT_ID --query "Snapshots[?StartTime< '$DATE_90_DAYS_AGO'].[SnapshotId,StartTime,VolumeId]" --output table

CloudWatch LogGroups

Find log groups without expiration:

aws logs describe-log-groups --query "sort_by(logGroups[?retentionInDays == null], &storedBytes) | reverse(@) | [].[logGroupName, storedBytes]" --output table

IAM Users and Roles

Check when IAM users last used their credentials:

aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d > credential_report.csv
awk -F ',' '{print $1,$5,$10}' credential_report.csv | column -t

For roles, you’ll need to generate a report for each one (see the script in the original post).