The scanner setup uses read-only access. It cannot delete resources, stop instances, resize databases, change networking, or remediate workloads. The optional proactive monitor is a separate customer-owned EventBridge rule for selected creation events.

You do not have to take our word for it. Inspect before you connect: the exact read-only IAM role template (CloudFormation) and exactly what it checks. AWS also shows the full template before you create the stack.

Read-only connection

Sign in, then deploy the read-only role.

Cloud Cost Clinic creates one UUID external ID for your product account and passes it into the CloudFormation Quick-Create link. After AWS creates the read-only role, enter the 12-digit AWS account ID. Cloud Cost Clinic constructs the fixed role ARN server-side and validates the external ID trust before scanning.

Free product account; no separate scanner tool or second onboarding
No write access, delete permissions, access keys, or secrets
One customer-owned IAM role with an external ID trust condition
Findings are review candidates, not automatic cleanup instructions

Step 1: product account

Sign in or create a free Cloud Cost Clinic account before connecting AWS.

Region to open the AWS console in

AWS will show the full template before you create the stack. The template creates one read-only IAM role and uses the unique external ID tied to your Cloud Cost Clinic account.

Scanner dashboard

Your latest read-only scan

Sign in to load stored scan history.

Add another account

Scan report

Review queue, not a delete list.

Findings will appear here after the read-only scan runs.

Optional proactive monitor

Catch expensive resources when they are created.

After a successful scan, Cloud Cost Clinic can allow this AWS account to forward selected CloudTrail resource-creation events. The optional stack creates an EventBridge rule only. It does not delete, stop, start, resize, or remediate resources.

Default watch list

We watch NAT gateways, GPU/large EC2, RDS/Aurora, Redshift, OpenSearch, EKS, EMR, SageMaker endpoints and notebooks, MSK, Elastic IPs, and selected large/high-IOPS EBS or fleet events.

Tier 1 starts enabled. Tier 2 is forwarded for context but muted by default; tuning belongs in alert preferences after real alerts show what is noisy for this account.

Deploy resource-birth monitor

This monitor depends on CloudTrail management events reaching EventBridge in the Region where the rule is deployed.

Recent proactive alerts

Alerts will appear after the optional monitor sees matching events.

Alert preferences

Tune what the proactive monitor alerts on.

These apply to resource-birth alerts only. Changes take effect on the next matching event. The read-only scan and the deployed EventBridge rule are unchanged.

What it checks

A review queue for common AWS cost risks.

The scanner is intentionally narrower than an enterprise FinOps platform. It focuses on common waste signals small AWS accounts miss, then explains what to verify before changing anything.

Resource-birth alerts

Optional EventBridge monitoring for expensive resources at creation time.

Unattached EBS volumes and old snapshots

Review storage that may keep billing even when workloads are gone.

Idle Elastic IPs and public IPv4 spend

Find IP addresses that deserve owner, DNS, and allowlist checks.

CloudWatch log groups without retention

Flag log storage that can grow quietly without a retention policy.

Missing budgets and anomaly detection

Catch missing billing safeguards before a surprise bill arrives.

ECR repositories without lifecycle policies

Review image cleanup rules before old container images pile up.

Workflow

How the AWS waste scanner setup works.

1

Create your account

The backend creates or reuses a UUID external ID tied to your Cloud Cost Clinic product account.

2

Deploy the role

AWS CloudFormation opens with the scanner role template and the external ID already filled in.

3

Review findings

Scanner findings end with cost signal, evidence, risk level, and next action. They are not just "looks unused."

4

Enable proactive alerts

Optionally deploy an EventBridge monitor for selected resource-creation events after the first read-only scan works.

Related AWS waste guides

These guides explain the same cost areas the scanner is designed to flag, including how to verify ownership, dependencies, and backup needs before cleanup.

Elastic IP cost in AWS

Review idle public IPv4 spend without releasing important addresses blindly.

EBS snapshot cost review

Find old snapshots while checking AMIs, backups, and rollback needs.

CloudWatch Logs cost

Understand how missing retention can turn logs into quiet storage cost.

AWS ECR cost control

Use lifecycle policies carefully to keep registry storage under control.

FAQ

AWS waste scanner questions

Does the AWS waste scanner delete resources?

No. The scanner setup is read-only. Findings are review items that explain what to verify before making any AWS changes.

Why do I have to sign in before deploying the stack?

The role needs a unique external ID so the trust policy is not anonymous. The same product account also keeps the free scan and future continuous monitoring in one upgrade path.

What does the Deploy Stack button create?

It opens AWS CloudFormation with a small template that creates one read-only IAM role. It does not create NAT Gateways, databases, compute resources, access keys, or remediation permissions.

What does the proactive monitor create?

The optional monitor stack creates one EventBridge rule and one forwarding role for selected CloudTrail resource-creation events. It does not grant remediation permissions or change workloads.

Is this a full FinOps dashboard?

No. It is a lightweight AWS bill-surprise scanner for learners, solo builders, and small teams that want a plain-English review queue.

Find your AWS waste - free.