Deploy
Sign in and deploy one read-only CloudFormation stack. The role trusts the scanner with an external ID and grants metadata, billing, and metrics access only.
How it works
Three steps to a review queue
Deploy a read-only role, run a scan, review the findings. Nothing in your account changes unless you change it.
Scan
The scanner reads resource metadata and cost signals, looking for common bill-surprise patterns: missing guardrails, idle resources, and unbounded defaults.
Review
You get a plain-English report: what was flagged, why it can cost money, and what to verify before changing anything. Cleanup stays in your hands.
What the scan checks
Where AWS bills quietly grow
The free scan covers the waste patterns small AWS accounts hit most often. Every finding explains what to verify first.
Missing budgets & alerts
No AWS Budget means the first warning is the invoice.
Anomaly detection off
Cost Anomaly Detection catches odd spend, but only if it is on.
Unattached EBS volumes
Detached volumes keep billing until someone reviews them.
Idle Elastic IPs
Idle addresses keep billing even when nothing uses them.
Old EBS snapshots
Snapshots pile up for years when nothing expires them.
Logs with no retention
CloudWatch log groups default to keeping data forever.
ECR without lifecycle
Image repos grow with every push unless a policy prunes them.
Untagged resources
Spend nobody owns is spend nobody reviews.
Want to know if any of this is in your account?
Run my free scanTrust model
Read-only by design
Asking for AWS access is a big deal. The scanner is built so the safe answer is also the default answer.
Read-only IAM role
Access comes from a role you deploy in your own account. It can read metadata and cost signals. It cannot create, modify, stop, or delete resources.
External ID required
The role trusts only the scanner account and requires your unique external ID, the standard pattern for third-party AWS access.
No delete buttons
The report is a review queue, not a cleanup tool. There is no button that changes your account, on purpose.
Plain-English findings
Each finding says why it was flagged, what it can cost, and what to check before acting: owner, dependencies, backups, rollback.
Minimal data kept
The scan stores as little as possible and keeps reports for a short window. Public examples always use demo data.
You stay in control
Verify first, then act. Every recommendation assumes a human reviews it, and you can delete the stack any time to revoke access.
Why this exists
Surprise bills are a default, not an accident
Most AWS waste is not a dramatic mistake. It is ordinary defaults left running with nobody assigned to look.
The bill lags the spend
A resource created today shows up on an invoice weeks later. By the time the bill arrives, the waste already happened.
Defaults are unbounded
Log groups keep data forever, snapshots accumulate, and nothing expires on its own unless someone sets it up.
Blind cleanup breaks things
Deleting whatever looks unused is how outages start. The goal is not to delete more. The goal is to delete safely.
Free checklist
Prefer to review by hand?
The AWS Cost Waste Checklist for Small Teams covers the same ground manually: EC2, EBS, snapshots, Elastic IPs, load balancers, NAT Gateway, RDS, S3, CloudWatch Logs, budgets, and tagging — with a verify-first step for each.
Guides
Featured resources
The Beginner's Guide to Finding AWS Waste
Use a simple review workflow before changing resources.
Read the guide →
Welcome to Cloud Cost Clinic
Start here for the safe-cleanup principle behind the brand.
Read the guide →
AWS Cost Waste Checklist
Use a practical review list before deleting or resizing resources.
Download the checklist →Free read-only scan
Find out what is quietly costing you money
Deploy the read-only role, run one scan, and get a plain-English review queue of possible waste and missing guardrails. Verify first, then act.