Enengius LLC

AWS Waste Scanner

Automatically detect unused AWS resources and reduce cloud waste.

Work in Progress

Many AWS accounts accumulate thousands of dollars per year in unused resources. Waste Scanner identifies these automatically with minimal infrastructure to deploy.

No agents. No software. Minimal infrastructure.

Features

  • Set exclusion tags
  • Scan AWS regions configured by you
  • Get daily reports via SNS
  • Usage-based pricing based on the number of resources scanned

Find EC2 Waste

  • Detect stale snapshots
  • Detect unattached volumes
  • Detect unused Elastic IPs

Coming Soon

  • S3 buckets
  • Reporting Improvements
  • Idle and stale EC2 instances
  • RDS snapshots

How It Works

Waste Scanner runs in our AWS account and assumes a role in your account. The role has read-only permissions. Waste Scanner uses this role to obtain its configuration for your account from AWS SSM and S3. Any configuration changes are read once a day.
Waste Scanner scans your account for certain resources. For example, it lists Elastic IPs and finds the ones that are unattached. Then it creates a list of such potentially-unused resources and sends the list to the SNS topic you have specified. You must subscribe to the SNS topic in order to receive the report. To keep payloads within AWS limits, Waste Scanner may send multiple messages per day.
Check the sample configuration file (below) for the many ways to configure Waste Scanner. You can set global or per-resource-type exclusion tags. Waste Scanner will ignore resources whose keys match the tags.

Security

The IAM role remains fully under your control. It grants read-only access to resource metadata only.

Waste Scanner cannot create, modify, or delete any resources in your account and does not access application data.

The Waste Scanner service runs entirely within AWS-managed infrastructure. Infrastructure is built using AWS managed services, which inherit AWS security controls.

Our service roles use least-privilege IAM.

Data Handling

Waste Scanner processes resource metadata obtained via the cross-account IAM role.

Metadata necessary for reporting is temporarily stored in an encrypted S3 bucket in the us-east-2 region. Stored metadata is retained only as long as necessary to generate reports.

Customer metadata is logically isolated using account-specific prefixes within an access-controlled S3 bucket.

No customer application data is accessed or stored.

Reports are delivered directly to your SNS topic within your AWS account.

Tag keys are inserted into your reports.

Encryption

Waste Scanner uses AWS-managed encryption for data at rest and TLS for data in transit.

We do not manage or store customer encryption keys directly.

Getting Started

AWS IAM

Create AWS IAM role named waste-scanner in your account. This role requires: Please be sure to insert the correct values in the places indicated.

JSON

Variables to replace

  • ${CUSTOMER_ACCOUNT} - your AWS account number
  • ${CUSTOMER_CONFIG_BUCKET_NAME} - S3 bucket name containing the Waste Scanner configuration file

SNS

Create an SNS topic in your account. The name can be anything, but you must update the resource policy as shown below.

JSON

Variables to replace

  • ${CUSTOMER_ACCOUNT} - your AWS account number
  • ${SNS_TOPIC_ARN} - ARN of the SNS topic
  • ${WASTE_SCANNER_IAM_ROLE_ARN} - ARN of the IAM role

AWS SSM Parameters

The following parameters are required in your account's AWS SSM Parameter Store.
These parameters must be created in the us-east-2 region, which is the control region used by Waste Scanner.

Configuration

Download the sample configuration file, customize it, and upload it to your S3 bucket.