CLI tool that audits your AWS account for common cost waste patterns
Project description
aws-cost-audit
An open-source CLI tool that audits your AWS account for common cost waste patterns and produces actionable findings.
Built by Forrict — AWS cloud consultancy in the Netherlands.
What it does
aws-cost-audit scans your AWS account for 15 common cost waste patterns and produces a table of findings with recommendations. Each check is self-contained and gracefully handles missing permissions.
aws-cost-audit 0.1.0 — running checks...
[PASS] Unused EC2 Instances
[FAIL] Unattached EBS Volumes
[WARN] Old EBS Snapshots
[PASS] Idle Load Balancers
[FAIL] Unattached Elastic IPs
...
Check Name Status Finding Recommendation
------------------------------- ------- ------------------------------------------------- ---------------------------------------------------
Unused EC2 Instances PASS No running EC2 instances found. No action required.
Unattached EBS Volumes FAIL 3 unattached volume(s) totalling 300 GiB: ... Delete volumes that are no longer needed.
Old EBS Snapshots WARN 12 snapshot(s) older than 90 days (1200 GiB)... Implement a lifecycle policy using AWS DLM.
...
Summary: 8 PASS | 4 WARN | 2 FAIL | 1 INFO
Checks (15)
| # | Check | What it detects |
|---|---|---|
| 1 | Unused EC2 Instances | Running instances with avg CPU < 10% over 14 days |
| 2 | Unattached EBS Volumes | Volumes in "available" state (not attached to any instance) |
| 3 | Old EBS Snapshots | Snapshots older than 90 days |
| 4 | Idle Load Balancers | ALBs/NLBs with no healthy targets or zero requests (7 days) |
| 5 | Unattached Elastic IPs | EIPs allocated but not associated |
| 6 | Oversized EC2 Instances | Running instances with avg CPU < 20% (right-sizing candidates) |
| 7 | RI / Savings Plan Coverage | Low commitment coverage vs On-Demand spend |
| 8 | S3 Lifecycle Policies | Buckets without lifecycle rules |
| 9 | Unused NAT Gateways | NAT Gateways with zero traffic (7 days) |
| 10 | CloudWatch Log Retention | Log groups without a retention policy |
| 11 | Idle RDS Instances | RDS instances with < 1 avg connection over 14 days |
| 12 | Previous-Generation Instance Types | EC2 instances on old families (m1, m3, c3, r3, etc.) |
| 13 | Unused Lambda Functions | Functions with 0 invocations over 30 days |
| 14 | Underused DynamoDB Tables | Provisioned tables using < 20% of capacity |
| 15 | Cost Allocation Tags | Resources missing Environment/Project/Owner/CostCenter tags |
Installation
Pre-built binaries
Download the latest binary for your platform from GitHub Releases:
Linux (amd64)
curl -Lo aws-cost-audit https://github.com/Forrict/aws-cost-audit/releases/latest/download/aws-cost-audit-linux-amd64
chmod +x aws-cost-audit
sudo mv aws-cost-audit /usr/local/bin/
macOS (Apple Silicon)
curl -Lo aws-cost-audit https://github.com/Forrict/aws-cost-audit/releases/latest/download/aws-cost-audit-macos-arm64
chmod +x aws-cost-audit
sudo mv aws-cost-audit /usr/local/bin/
Windows (amd64)
Download aws-cost-audit-windows-amd64.exe from the releases page and add it to your PATH.
pip (Python 3.9+)
pip install aws-cost-audit
From source
git clone https://github.com/Forrict/aws-cost-audit.git
cd aws-cost-audit
pip install .
Usage
# Run all checks
aws-cost-audit
# Run with verbose per-resource output
aws-cost-audit --verbose
# Run specific checks only
aws-cost-audit --checks ebs_unattached eip_unattached
# List available checks
aws-cost-audit --list-checks
# Output as JSON (writes to cost-report.json by default)
aws-cost-audit --output json
# Output as CSV (writes to cost-report.csv by default)
aws-cost-audit --output csv
# Write report to a specific file
aws-cost-audit --output json --output-file my-report.json
# Disable color output (useful for CI/logging)
aws-cost-audit --no-color
# Exit code: 0 = all pass, 1 = warnings or failures found
aws-cost-audit && echo "All clean!" || echo "Issues found."
Required IAM Permissions
The tool uses read-only AWS API calls. Attach these permissions to the IAM user or role running the tool:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeAddresses",
"ec2:DescribeNatGateways",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"cloudwatch:GetMetricStatistics",
"ce:GetSavingsPlansCoverage",
"ce:GetReservationCoverage",
"s3:ListAllMyBuckets",
"s3:GetBucketLifecycleConfiguration",
"s3:GetBucketTagging",
"logs:DescribeLogGroups",
"rds:DescribeDBInstances",
"lambda:ListFunctions",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
AWS Credentials
The tool uses the default AWS credential chain (environment variables, ~/.aws/credentials, IAM role, etc.).
# Using environment variables
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_DEFAULT_REGION=eu-west-1
aws-cost-audit
# Using a named profile
AWS_PROFILE=my-sandbox aws-cost-audit
# Using AWS SSO
aws sso login --profile my-profile
AWS_PROFILE=my-profile aws-cost-audit
Check Descriptions
Detailed descriptions of each check (what it checks, why it matters, typical savings) are in check_descriptions.yaml.
License
MIT — see LICENSE.
Contributing
Issues and PRs welcome. Each check lives in aws_cost_audit/checks/ as a self-contained module with a single run() -> CheckResult function.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws_cost_audit-0.1.0.tar.gz.
File metadata
- Download URL: aws_cost_audit-0.1.0.tar.gz
- Upload date:
- Size: 18.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bb30e66919796c200b1cecb58e5c54a15f88ee24be460656d09a69c3539a9640
|
|
| MD5 |
d40733d5f4ab23780f3f26e28f60abfc
|
|
| BLAKE2b-256 |
260977636f2de2e5c1f8ca5fb27b1539a9cd31369229fd8605c52aaaf37a1dc3
|
Provenance
The following attestation bundles were made for aws_cost_audit-0.1.0.tar.gz:
Publisher:
release.yml on Forrict/aws-cost-audit
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
aws_cost_audit-0.1.0.tar.gz -
Subject digest:
bb30e66919796c200b1cecb58e5c54a15f88ee24be460656d09a69c3539a9640 - Sigstore transparency entry: 1347977924
- Sigstore integration time:
-
Permalink:
Forrict/aws-cost-audit@4ea520446e6f7632c6ff60e5e3be4b07117cfcc4 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/Forrict
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@4ea520446e6f7632c6ff60e5e3be4b07117cfcc4 -
Trigger Event:
push
-
Statement type:
File details
Details for the file aws_cost_audit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: aws_cost_audit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 27.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
761d1a0a1ab26c77db337de4b3782435f86b4c8ea0c2090bfbad5cc39a361c6a
|
|
| MD5 |
c90a4c7c72560e126a6a5dbaae94601e
|
|
| BLAKE2b-256 |
739bbe6b86d9b4874d05b29935af21bfbf66c5573f4fc8869e8d1940a9c46515
|
Provenance
The following attestation bundles were made for aws_cost_audit-0.1.0-py3-none-any.whl:
Publisher:
release.yml on Forrict/aws-cost-audit
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
aws_cost_audit-0.1.0-py3-none-any.whl -
Subject digest:
761d1a0a1ab26c77db337de4b3782435f86b4c8ea0c2090bfbad5cc39a361c6a - Sigstore transparency entry: 1347977943
- Sigstore integration time:
-
Permalink:
Forrict/aws-cost-audit@4ea520446e6f7632c6ff60e5e3be4b07117cfcc4 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/Forrict
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@4ea520446e6f7632c6ff60e5e3be4b07117cfcc4 -
Trigger Event:
push
-
Statement type: