cloudcost-doctor

cloudcost-doctor

Find cloud waste before you deploy it. Reads your Terraform / CloudFormation / CDK files and flags cost anti-patterns. No AWS credentials, no dependencies, works offline in <1 second.

When to use

• •Before running terraform apply / aws cloudformation deploy
• •During code review of infrastructure PRs
• •When asked "are we wasting money on AWS?"
• •As a pre-commit / CI check for IaC

How to run

# Audit a directory of IaC files
python3 scripts/cli.py audit <path>

# Single file
python3 scripts/cli.py audit main.tf

# JSON output for CI/CD
python3 scripts/cli.py audit <path> --json

# List all rules
python3 scripts/cli.py describe

What it checks (50+ rules across 8 categories)

EC2 — Compute

• •EC2.01 Old instance generation (t2→t3, m4→m6i, c4→c6i: ~20% cheaper)
• •EC2.02 Overprovisioned instance for likely dev/staging (8xlarge+ with no prod tag)
• •EC2.03 No shutdown schedule for non-prod (add schedule or use Spot)
• •EC2.04 On-demand for batch/stateless workloads (use Spot: 70-90% cheaper)
• •EC2.05 No hibernate/stop on termination for dev instances
• •EC2.06 Burstable instance without CloudWatch CPU credit monitoring
• •EC2.07 EBS-optimized flag on instance types that include it free (dead config)
• •EC2.08 Multiple ENIs without need (adds cost on some types)
• •EC2.09 Placement group for non-HPC workload
• •EC2.10 Dedicated host tenancy without licensing justification
• •EC2.11 EIP attached to stopped instance ($3.60/mo)
• •EC2.12 No instance profile / IAM role (security + operational debt)

EBS — Block Storage

• •EBS.01 gp2 volume — use gp3 (20% cheaper, better baseline IOPS)
• •EBS.02 io1/io2 Block Storage with no measured IOPS need
• •EBS.03 Overprovisioned volume size (>1TB without lifecycle)
• •EBS.04 Snapshot without delete-after-N-days
• •EBS.05 EFS without lifecycle to Infrequent Access

S3 — Object Storage

• •S3.01 Bucket with no lifecycle policy (logs grow forever in Standard)
• •S3.02 Standard storage for logs/backups (→ IA/Glacier)
• •S3.03 Versioning on without lifecycle (old versions accumulate)
• •S3.04 No Intelligent-Tiering consideration for unknown access patterns
• •S3.05 Cross-region replication without explicit DR requirement
• •S3.06 Requester-pays without metering

RDS — Databases

• •RDS.01 Multi-AZ for dev/staging (doubles cost)
• •RDS.02 RDS gp2 storage — use gp3
• •RDS.03 Provisioned IOPS (io1) on RDS without measured need
• •RDS.04 Backup retention >7 days for non-prod
• •RDS.05 T2/T3 instance — check if T4g available (ARM, cheaper)
• •RDS.06 DynamoDB provisioned capacity without auto-scaling
• •RDS.07 DynamoDB without on-demand for low/unknown traffic

NAT — Networking

• •NAT.01 NAT Gateway in non-prod (use VPC endpoints: saves $32/mo + data)
• •NAT.02 Multiple NAT Gateways in one AZ
• •NAT.03 Classic Load Balancer (deprecated, switch to ALB/NLB)
• •NAT.04 Elastic IP not associated ($3.60/mo each)
• •NAT.05 VPC endpoint not used for S3/DynamoDB (paying NAT data fees)
• •NAT.06 Public IP on EC2 that doesn't need it

TAG — Governance

• •TAG.01 Missing Owner tag
• •TAG.02 Missing Environment tag (blocks cost allocation)
• •TAG.03 Missing CostCenter / Project tag
• •TAG.04 Inconsistent tag casing (env vs Environment)
• •TAG.05 No budget alert / cost anomaly detection configured
• •TAG.06 Resources using deprecated tag keys

IAM — Security (cost-adjacent)

• •IAM.01 Overly permissive * resource policy
• •IAM.02 IAM policy with Action: * and Resource: *
• •IAM.03 Hardcoded credentials in IaC (security + rotation cost)
• •IAM.04 KMS key without rotation enabled

CW — CloudWatch / Logging

• •CW.01 Log group with no retention (infinite growth)
• •CW.02 Detailed monitoring enabled for non-prod
• •CW.03 CloudWatch Logs Insights without savings plan
• •CW.04 High-resolution custom metrics where standard suffices

Reading the report

Each finding shows:

• •Severity: HIGH (clear waste, easy fix), MED (likely waste), LOW (governance hygiene)
• •Rule ID: e.g. EC2.01
• •File:line: exact location in your IaC
• •Estimated savings: monthly $ range where calculable
• •Fix hint: one-line action to resolve

Pro tier

The free OSS scanner audits IaC files. The Pro tier (license-gated) adds:

• •Live AWS account scan (audit running infra, not just code)
• •Automated remediation (generates the fixing Terraform)
• •Cost trend dashboards
• •Slack/Teams alerting

Upgrade at https://takeaseatventure.com/pro

Limitations

• •Reads IaC files as parsed text (regex-based) — fast and universal, but cannot

resolve module references or dynamic expressions. For those, review the flagged resource manually.

• •AWS-focused. GCP/Azure support is planned.
• •Savings estimates are approximate (based on public AWS pricing, us-east-1).

Pro tips

• •Run in CI to catch waste before merge: python3 scripts/cli.py audit ./infra --json
• •The describe command lists every rule with its fix hint — useful for onboarding.
• •Tagging findings (TAG.*) are prerequisites for any FinOps program — fix these first.