Skip to main content

CLI tool that audits your AWS account for common cost waste patterns

Project description

aws-cost-audit

An open-source CLI tool that audits your AWS account for common cost waste patterns and produces actionable findings.

Built by Forrict — AWS cloud consultancy in the Netherlands.

What it does

aws-cost-audit scans your AWS account for 15 common cost waste patterns and produces a table of findings with recommendations. Each check is self-contained and gracefully handles missing permissions.

aws-cost-audit 0.1.0 — running checks...

  [PASS] Unused EC2 Instances
  [FAIL] Unattached EBS Volumes
  [WARN] Old EBS Snapshots
  [PASS] Idle Load Balancers
  [FAIL] Unattached Elastic IPs
  ...

Check Name                       Status   Finding                                            Recommendation
-------------------------------  -------  -------------------------------------------------  ---------------------------------------------------
Unused EC2 Instances             PASS     No running EC2 instances found.                    No action required.
Unattached EBS Volumes           FAIL     3 unattached volume(s) totalling 300 GiB: ...      Delete volumes that are no longer needed.
Old EBS Snapshots                WARN     12 snapshot(s) older than 90 days (1200 GiB)...    Implement a lifecycle policy using AWS DLM.
...

Summary: 8 PASS | 4 WARN | 2 FAIL | 1 INFO

Checks (15)

# Check What it detects
1 Unused EC2 Instances Running instances with avg CPU < 10% over 14 days
2 Unattached EBS Volumes Volumes in "available" state (not attached to any instance)
3 Old EBS Snapshots Snapshots older than 90 days
4 Idle Load Balancers ALBs/NLBs with no healthy targets or zero requests (7 days)
5 Unattached Elastic IPs EIPs allocated but not associated
6 Oversized EC2 Instances Running instances with avg CPU < 20% (right-sizing candidates)
7 RI / Savings Plan Coverage Low commitment coverage vs On-Demand spend
8 S3 Lifecycle Policies Buckets without lifecycle rules
9 Unused NAT Gateways NAT Gateways with zero traffic (7 days)
10 CloudWatch Log Retention Log groups without a retention policy
11 Idle RDS Instances RDS instances with < 1 avg connection over 14 days
12 Previous-Generation Instance Types EC2 instances on old families (m1, m3, c3, r3, etc.)
13 Unused Lambda Functions Functions with 0 invocations over 30 days
14 Underused DynamoDB Tables Provisioned tables using < 20% of capacity
15 Cost Allocation Tags Resources missing Environment/Project/Owner/CostCenter tags

Installation

Pre-built binaries

Download the latest binary for your platform from GitHub Releases:

Linux (amd64)

curl -Lo aws-cost-audit https://github.com/Forrict/aws-cost-audit/releases/latest/download/aws-cost-audit-linux-amd64
chmod +x aws-cost-audit
sudo mv aws-cost-audit /usr/local/bin/

macOS (Apple Silicon)

curl -Lo aws-cost-audit https://github.com/Forrict/aws-cost-audit/releases/latest/download/aws-cost-audit-macos-arm64
chmod +x aws-cost-audit
sudo mv aws-cost-audit /usr/local/bin/

Windows (amd64)

Download aws-cost-audit-windows-amd64.exe from the releases page and add it to your PATH.

pip (Python 3.9+)

pip install aws-cost-audit

From source

git clone https://github.com/Forrict/aws-cost-audit.git
cd aws-cost-audit
pip install .

Usage

# Run all checks
aws-cost-audit

# Run with verbose per-resource output
aws-cost-audit --verbose

# Run specific checks only
aws-cost-audit --checks ebs_unattached eip_unattached

# List available checks
aws-cost-audit --list-checks

# Output as JSON (writes to cost-report.json by default)
aws-cost-audit --output json

# Output as CSV (writes to cost-report.csv by default)
aws-cost-audit --output csv

# Write report to a specific file
aws-cost-audit --output json --output-file my-report.json

# Disable color output (useful for CI/logging)
aws-cost-audit --no-color

# Exit code: 0 = all pass, 1 = warnings or failures found
aws-cost-audit && echo "All clean!" || echo "Issues found."

Required IAM Permissions

The tool uses read-only AWS API calls. Attach these permissions to the IAM user or role running the tool:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:DescribeAddresses",
        "ec2:DescribeNatGateways",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "cloudwatch:GetMetricStatistics",
        "ce:GetSavingsPlansCoverage",
        "ce:GetReservationCoverage",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLifecycleConfiguration",
        "s3:GetBucketTagging",
        "logs:DescribeLogGroups",
        "rds:DescribeDBInstances",
        "lambda:ListFunctions",
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

AWS Credentials

The tool uses the default AWS credential chain (environment variables, ~/.aws/credentials, IAM role, etc.).

# Using environment variables
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_DEFAULT_REGION=eu-west-1
aws-cost-audit

# Using a named profile
AWS_PROFILE=my-sandbox aws-cost-audit

# Using AWS SSO
aws sso login --profile my-profile
AWS_PROFILE=my-profile aws-cost-audit

Check Descriptions

Detailed descriptions of each check (what it checks, why it matters, typical savings) are in check_descriptions.yaml.

License

MIT — see LICENSE.

Contributing

Issues and PRs welcome. Each check lives in aws_cost_audit/checks/ as a self-contained module with a single run() -> CheckResult function.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_cost_audit-0.1.0.tar.gz (18.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aws_cost_audit-0.1.0-py3-none-any.whl (27.0 kB view details)

Uploaded Python 3

File details

Details for the file aws_cost_audit-0.1.0.tar.gz.

File metadata

  • Download URL: aws_cost_audit-0.1.0.tar.gz
  • Upload date:
  • Size: 18.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for aws_cost_audit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 bb30e66919796c200b1cecb58e5c54a15f88ee24be460656d09a69c3539a9640
MD5 d40733d5f4ab23780f3f26e28f60abfc
BLAKE2b-256 260977636f2de2e5c1f8ca5fb27b1539a9cd31369229fd8605c52aaaf37a1dc3

See more details on using hashes here.

Provenance

The following attestation bundles were made for aws_cost_audit-0.1.0.tar.gz:

Publisher: release.yml on Forrict/aws-cost-audit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file aws_cost_audit-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: aws_cost_audit-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 27.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for aws_cost_audit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 761d1a0a1ab26c77db337de4b3782435f86b4c8ea0c2090bfbad5cc39a361c6a
MD5 c90a4c7c72560e126a6a5dbaae94601e
BLAKE2b-256 739bbe6b86d9b4874d05b29935af21bfbf66c5573f4fc8869e8d1940a9c46515

See more details on using hashes here.

Provenance

The following attestation bundles were made for aws_cost_audit-0.1.0-py3-none-any.whl:

Publisher: release.yml on Forrict/aws-cost-audit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page