The biggest threat to your cloud budget isn’t oversized instances; it’s the “ghost” resources you don’t even know exist. This guide provides battle-tested methods for finding and eliminating orphaned assets before they cripple your finances.

The Hidden Challenge of Cloud Costs: Knowing What You Don’t Know

I still remember the 3 AM pager alert. It wasn’t a system outage or a database crash. It was a budget alert from AWS, forwarded by a very unhappy finance director. A bill that was supposed to be a predictable $20k had ballooned to over $50k. After a frantic hour of digging, we found the culprit: a cluster of high-end GPU instances, spun up two weeks prior by a developer for a “quick ML model test,” and then completely forgotten. The project was even cancelled, but the resources lived on, silently burning cash. That morning, I realized our biggest challenge wasn’t optimizing known workloads; it was finding the unknown ones.

The Real Problem: Orphaned Resources and The “Tag and Pray” Fallacy

This isn’t just about someone forgetting to turn something off. The root cause is a lack of ownership and visibility in dynamic environments. A developer leaves the company, a project is de-prioritized, a Terraform apply fails halfway through—suddenly you have orphaned resources. These are un-monitored, untagged, and unowned EBS volumes, RDS snapshots, Elastic IPs, and EC2 instances just floating in your account.

Many teams rely on a “tag and pray” strategy, hoping everyone remembers to apply an ‘owner’ or ‘project’ tag. But hope isn’t a strategy. Without enforcement, your tagging system decays, and your AWS account becomes a digital graveyard of expensive, forgotten assets.

Three Ways We Fight Back

Over the years, we’ve developed a tiered approach to this problem at TechResolve. It ranges from the quick and dirty to the systematically robust. Pick your weapon based on how much blood is on the floor.

1. The Quick Fix: The “Screaming Test”

This is my go-to when finance is breathing down my neck and I need to cut costs today. The concept is brutally simple: you find a resource you suspect is unused (like an unattached EBS volume with no recent I/O), and you shut it down or detach it. You don’t delete it, you just disable it. Then, you wait for someone to scream.

Yes, it’s hacky. It’s a blunt instrument. But it works. If no one complains within a week or two, you can be reasonably sure it’s safe to terminate. This is especially effective for non-production environments where the blast radius is smaller.

Warning: Never, ever perform a “Screaming Test” on something that looks like a production database (e.g., prod-db-01-snapshot-final). This is for those ambiguously named resources like dave-test-volume-02 that have been sitting idle for six months. Document every action you take.

2. The Permanent Fix: Enforced Tagging & Automated Auditing

This is the grown-up solution. You can’t rely on people’s memory, so you force their hand with technology. In AWS, this means using Service Control Policies (SCPs) or IAM Policies to deny the creation of certain resources unless specific tags (like owner-email and project-code) are present.

Next, you set up an automated auditor. This can be a simple script that runs nightly, scans your entire environment, and generates a report of non-compliant resources. It’s a “name and shame” list that gets sent to the whole team.

Here’s a basic AWS CLI one-liner to find unattached EBS volumes, a common cost sink:

aws ec2 describe-volumes --filters Name=status,Values=available --query "Volumes[*].[VolumeId, Size, CreateTime]" --output table

This gives you an immediate hit-list of volumes that are costing you money every single month for absolutely no reason.

3. The ‘Nuclear’ Option: Time-To-Live (TTL) Janitor

For our development and staging environments, we got aggressive. We implemented a “janitor” function—a serverless function (like AWS Lambda) that runs on a schedule.

The rule is simple: every resource launched in these environments must have a ttl-hours tag. This tag indicates how many hours the resource is expected to live. For example, ttl-hours: 8 for a typical workday test instance.

Our janitor function runs every hour. It scans for all resources with this tag. If the current time is past the resource’s creation time plus its TTL value, the function automatically terminates it. No questions asked. This has been revolutionary for preventing forgotten test instances from lingering over the weekend.

Pro Tip: You can build in exceptions. For example, our janitor script is configured to ignore any resource with a tag of ttl-exempt: true, but getting that tag approved requires a formal review. This creates the right kind of friction and forces developers to justify long-running resources in non-production environments.

Ultimately, controlling cloud costs isn’t about finding a single magic bullet. It’s about building layers of defense. Start with the screaming test if you’re in a pinch, but work toward building the automated systems that prevent the problem from happening in the first place. Your on-call self—and your finance department—will thank you.

Darian Vance

Lead Cloud Architect & DevOps Strategist

With over 12 years in system architecture and automation, Darian specializes in simplifying complex cloud infrastructures. An advocate for open-source solutions, he founded TechResolve to provide engineers with actionable, battle-tested troubleshooting guides and robust software alternatives.

🤖 Frequently Asked Questions