5 tools to detect unused AWS resources before they drain your budget

Unused AWS resources are invisible costs. An unattached EBS volume costs £0.10 per GB per month. You forget it exists. Six months later you've spent £100 on nothing. Multiply that across unattached volumes, idle instances, forgotten Elastic IPs, and snapshots nobody uses. The waste adds up to thousands per year.

Five tools can catch this. Use them.

1. AWS Trusted Advisor

Trusted Advisor scans your entire AWS environment for idle resources and cost-saving opportunities. EC2 instances stopped for 30+ days. Elastic IPs not attached to anything. Underutilised Reserved Instances.

Free version gives you basic checks. Paid support (£29-100+ per month) gives you all checks plus weekly email summaries.

For SMBs, it's usually the best starting point. Low friction. Integrated into the console. Colour-coded output (red = fix now, yellow = consider, green = good).

Limitation: it recommends but doesn't automate. You have to go delete things manually.

2. AWS Cost Explorer

Cost Explorer breaks down your bill by service, region, usage type. Filter by "unused" or "underutilised" resources. The Resource Optimisation report specifically flags unused EC2 instances based on CPU and network usage.

It's free. API calls for programmatic access cost £0.01 per page.

Strength is the financial angle. You see not just unused resources but how much they're costing you. Month-over-month cost changes are highlighted. Forecasting shows predicted future costs.

Limitation: billing data lags 24 hours. Not useful for real-time decisions.

3. AWS Config

Config tracks resource configurations. It's particularly good at finding orphaned resources: unattached EBS volumes, Elastic IPs not linked to instances, load balancers with no backends, unused security groups, IAM roles nobody uses.

Can automate remediation. Set a rule. When Config finds an unattached volume that's 90 days old, auto-remediate by tagging it or sending an SNS alert.

Costs: £0.002 per configuration item per month, plus rule evaluation costs. Can get expensive at scale. First 7,500 items are free.

Best for compliance-focused environments where you need audit trails and automated remediation. Overkill for simple resource cleanup.

4. Amazon CloudWatch

CloudWatch monitors real-time metrics. For databases (DynamoDB, Keyspaces), track ConsumedReadCapacityUnits and ConsumedWriteCapacityUnits. Zero consumption for 30 days = unused table.

CloudWatch Alarms can trigger actions when resources are idle. Integrate with Lambda to auto-delete or notify teams.

Free tier includes basic monitoring. Additional metrics cost £0.10 per metric per month.

Good for identifying idle databases and unused indexes. Not ideal for finding unattached volumes or network-level waste.

5. IAM Access Analyzer

This one catches permission creep. Identifies IAM roles and users that haven't been used in 30+ days. Also finds overly permissive policies that grant access to services the user never touches.

External access analysis is free. Internal analysis costs ~£0.16 per role per month.

Good for security and cost. Unused roles still cost nothing, but they're security liabilities. Removing them tightens your environment.

Limited to IAM. Doesn't help with compute or storage waste.

Quick ranking for SMBs

Start with AWS Cost Explorer (free). See where money goes.

Then AWS Trusted Advisor (free checks or cheap support plan). Get actionable recommendations.

Add CloudWatch if you're database-heavy. Catch idle DynamoDB tables and indexes.

Use AWS Config only if you need compliance tracking or automated remediation at scale.

IAM Access Analyzer is a quick security win. Free to start.

Real example

Team A:

  • 4 unattached EBS volumes, 100GB each: £40/month
  • 2 stopped EC2 instances (still pay for EBS): £30/month
  • 3 unused Elastic IPs: £10/month
  • Forgotten RDS snapshot, 500GB: £50/month

Total waste: £130/month = £1,560 per year

Cost Explorer would flag the EBS and RDS spend immediately. Trusted Advisor would list the stopped instances and unattached IPs. CloudWatch (for RDS) would show the snapshot.

One afternoon of cleanup saves £1,560 yearly.

Where Critical Cloud comes in

Most waste goes unnoticed because it's spread across services. A volume here, a snapshot there, an unused index somewhere else. Nobody sees the total.

We're a Powered by Datadog accredited partner. We pull together waste signals from across AWS into one dashboard. You see idle resources, unused capacity, and wasted spend in context.

If unused resources are silently draining your budget, see how Critical Support works.