Skip to content
BeClaude

cloudcost-doctor

New
GitHub TrendingGeneralby takeaseatventure

Audit infrastructure-as-code (Terraform, CloudFormation, CDK) for cloud cost anti-patterns BEFORE deployment. Finds overprovisioned instances, expensive storage defaults, idle resources, missing lifecycle policies, and 45+ more — no AWS credentials required. Use when reviewing or cost-optimizing IaC.

Summary

CloudCost Doctor audits your Infrastructure-as-Code (Terraform, CloudFormation, CDK) for over 50 cost anti-patterns before deployment, catching overprovisioned instances, expensive storage defaults, idle resources, and missing lifecycle policies.

  • It works offline without AWS credentials, making it ideal for code review, pre-commit checks, and CI/CD pipelines to prevent cloud waste.

Overview

cloudcost-doctor

Find cloud waste before you deploy it. Reads your Terraform / CloudFormation / CDK files and flags cost anti-patterns. No AWS credentials, no dependencies, works offline in <1 second.

When to use

  • Before running terraform apply / aws cloudformation deploy
  • During code review of infrastructure PRs
  • When asked "are we wasting money on AWS?"
  • As a pre-commit / CI check for IaC

How to run

bash
# Audit a directory of IaC files
python3 scripts/cli.py audit <path>

# Single file
python3 scripts/cli.py audit main.tf

# JSON output for CI/CD
python3 scripts/cli.py audit <path> --json

# List all rules
python3 scripts/cli.py describe

What it checks (50+ rules across 8 categories)

EC2 — Compute

  • EC2.01 Old instance generation (t2→t3, m4→m6i, c4→c6i: ~20% cheaper)
  • EC2.02 Overprovisioned instance for likely dev/staging (8xlarge+ with no prod tag)
  • EC2.03 No shutdown schedule for non-prod (add schedule or use Spot)
  • EC2.04 On-demand for batch/stateless workloads (use Spot: 70-90% cheaper)
  • EC2.05 No hibernate/stop on termination for dev instances
  • EC2.06 Burstable instance without CloudWatch CPU credit monitoring
  • EC2.07 EBS-optimized flag on instance types that include it free (dead config)
  • EC2.08 Multiple ENIs without need (adds cost on some types)
  • EC2.09 Placement group for non-HPC workload
  • EC2.10 Dedicated host tenancy without licensing justification
  • EC2.11 EIP attached to stopped instance ($3.60/mo)
  • EC2.12 No instance profile / IAM role (security + operational debt)

EBS — Block Storage

  • EBS.01 gp2 volume — use gp3 (20% cheaper, better baseline IOPS)
  • EBS.02 io1/io2 Block Storage with no measured IOPS need
  • EBS.03 Overprovisioned volume size (>1TB without lifecycle)
  • EBS.04 Snapshot without delete-after-N-days
  • EBS.05 EFS without lifecycle to Infrequent Access

S3 — Object Storage

  • S3.01 Bucket with no lifecycle policy (logs grow forever in Standard)
  • S3.02 Standard storage for logs/backups (→ IA/Glacier)
  • S3.03 Versioning on without lifecycle (old versions accumulate)
  • S3.04 No Intelligent-Tiering consideration for unknown access patterns
  • S3.05 Cross-region replication without explicit DR requirement
  • S3.06 Requester-pays without metering

RDS — Databases

  • RDS.01 Multi-AZ for dev/staging (doubles cost)
  • RDS.02 RDS gp2 storage — use gp3
  • RDS.03 Provisioned IOPS (io1) on RDS without measured need
  • RDS.04 Backup retention >7 days for non-prod
  • RDS.05 T2/T3 instance — check if T4g available (ARM, cheaper)
  • RDS.06 DynamoDB provisioned capacity without auto-scaling
  • RDS.07 DynamoDB without on-demand for low/unknown traffic

NAT — Networking

  • NAT.01 NAT Gateway in non-prod (use VPC endpoints: saves $32/mo + data)
  • NAT.02 Multiple NAT Gateways in one AZ
  • NAT.03 Classic Load Balancer (deprecated, switch to ALB/NLB)
  • NAT.04 Elastic IP not associated ($3.60/mo each)
  • NAT.05 VPC endpoint not used for S3/DynamoDB (paying NAT data fees)
  • NAT.06 Public IP on EC2 that doesn't need it

TAG — Governance

  • TAG.01 Missing Owner tag
  • TAG.02 Missing Environment tag (blocks cost allocation)
  • TAG.03 Missing CostCenter / Project tag
  • TAG.04 Inconsistent tag casing (env vs Environment)
  • TAG.05 No budget alert / cost anomaly detection configured
  • TAG.06 Resources using deprecated tag keys

IAM — Security (cost-adjacent)

  • IAM.01 Overly permissive * resource policy
  • IAM.02 IAM policy with Action: * and Resource: *
  • IAM.03 Hardcoded credentials in IaC (security + rotation cost)
  • IAM.04 KMS key without rotation enabled

CW — CloudWatch / Logging

  • CW.01 Log group with no retention (infinite growth)
  • CW.02 Detailed monitoring enabled for non-prod
  • CW.03 CloudWatch Logs Insights without savings plan
  • CW.04 High-resolution custom metrics where standard suffices

Reading the report

Each finding shows:

  • Severity: HIGH (clear waste, easy fix), MED (likely waste), LOW (governance hygiene)
  • Rule ID: e.g. EC2.01
  • File:line: exact location in your IaC
  • Estimated savings: monthly $ range where calculable
  • Fix hint: one-line action to resolve

Pro tier

The free OSS scanner audits IaC files. The Pro tier (license-gated) adds:

  • Live AWS account scan (audit running infra, not just code)
  • Automated remediation (generates the fixing Terraform)
  • Cost trend dashboards
  • Slack/Teams alerting

Upgrade at https://takeaseatventure.com/pro

Limitations

  • Reads IaC files as parsed text (regex-based) — fast and universal, but cannot

resolve module references or dynamic expressions. For those, review the flagged resource manually.

  • AWS-focused. GCP/Azure support is planned.
  • Savings estimates are approximate (based on public AWS pricing, us-east-1).

Pro tips

  • Run in CI to catch waste before merge: python3 scripts/cli.py audit ./infra --json
  • The describe command lists every rule with its fix hint — useful for onboarding.
  • Tagging findings (TAG.*) are prerequisites for any FinOps program — fix these first.

Install & Usage

1
Create the skills directory
mkdir -p .claude/skills
2
Download the skill file

Add the configuration to .claude/skills/cloudcost-doctor.md

3
Invoke in Claude Code
/cloudcost-doctor

Use Cases

Before running terraform apply, audit your Terraform files to catch overprovisioned instances and expensive defaults.
During code review of infrastructure PRs, automatically flag cost anti-patterns without needing AWS credentials.
As a pre-commit hook or CI check, prevent costly resources from being deployed in the first place.
When asked 'are we wasting money on AWS?', scan your IaC repository to identify savings opportunities.
For batch or stateless workloads, detect on-demand instances that should be Spot to save 70-90%.
Audit non-production environments for missing shutdown schedules or overprovisioned instance sizes.

Usage Examples

1

/cloudcost-doctor audit ./terraform/production --json

2

Audit my CloudFormation templates for cost issues before I deploy

3

Check this CDK app for expensive storage defaults and idle resources

View source on GitHub
code-reviewdeployment

Security Audits

LicenseUnknownSourceWarnRepositoryPass

Frequently Asked Questions

What is cloudcost-doctor?

CloudCost Doctor audits your Infrastructure-as-Code (Terraform, CloudFormation, CDK) for over 50 cost anti-patterns before deployment, catching overprovisioned instances, expensive storage defaults, idle resources, and missing lifecycle policies. It works offline without AWS credentials, making it ideal for code review, pre-commit checks, and CI/CD pipelines to prevent cloud waste.

How to install cloudcost-doctor?

To install cloudcost-doctor: create the skills directory (mkdir -p .claude/skills), then add the config to .claude/skills/cloudcost-doctor.md. Finally, /cloudcost-doctor in Claude Code.

What is cloudcost-doctor best for?

cloudcost-doctor is a other categorized under General. It is designed for: code-review, deployment. Created by takeaseatventure.

What can I use cloudcost-doctor for?

cloudcost-doctor is useful for: Before running terraform apply, audit your Terraform files to catch overprovisioned instances and expensive defaults.; During code review of infrastructure PRs, automatically flag cost anti-patterns without needing AWS credentials.; As a pre-commit hook or CI check, prevent costly resources from being deployed in the first place.; When asked 'are we wasting money on AWS?', scan your IaC repository to identify savings opportunities.; For batch or stateless workloads, detect on-demand instances that should be Spot to save 70-90%.; Audit non-production environments for missing shutdown schedules or overprovisioned instance sizes..