| name | cloudcost-doctor |
| description | Audit infrastructure-as-code (Terraform, CloudFormation, CDK) for cloud cost anti-patterns BEFORE deployment. Finds overprovisioned instances, expensive storage defaults, idle resources, missing lifecycle policies, and 45+ more — no AWS credentials required. Use when reviewing or cost-optimizing IaC. |
| license | MIT |
cloudcost-doctor
Find cloud waste before you deploy it. Reads your Terraform / CloudFormation /
CDK files and flags cost anti-patterns. No AWS credentials, no dependencies, works
offline in <1 second.
When to use
- Before running
terraform apply / aws cloudformation deploy
- During code review of infrastructure PRs
- When asked "are we wasting money on AWS?"
- As a pre-commit / CI check for IaC
How to run
python3 scripts/cli.py audit <path>
python3 scripts/cli.py audit main.tf
python3 scripts/cli.py audit <path> --json
python3 scripts/cli.py describe
What it checks (50+ rules across 8 categories)
EC2 — Compute
EC2.01 Old instance generation (t2→t3, m4→m6i, c4→c6i: ~20% cheaper)
EC2.02 Overprovisioned instance for likely dev/staging (8xlarge+ with no prod tag)
EC2.03 No shutdown schedule for non-prod (add schedule or use Spot)
EC2.04 On-demand for batch/stateless workloads (use Spot: 70-90% cheaper)
EC2.05 No hibernate/stop on termination for dev instances
EC2.06 Burstable instance without CloudWatch CPU credit monitoring
EC2.07 EBS-optimized flag on instance types that include it free (dead config)
EC2.08 Multiple ENIs without need (adds cost on some types)
EC2.09 Placement group for non-HPC workload
EC2.10 Dedicated host tenancy without licensing justification
EC2.11 EIP attached to stopped instance ($3.60/mo)
EC2.12 No instance profile / IAM role (security + operational debt)
EBS — Block Storage
EBS.01 gp2 volume — use gp3 (20% cheaper, better baseline IOPS)
EBS.02 io1/io2 Block Storage with no measured IOPS need
EBS.03 Overprovisioned volume size (>1TB without lifecycle)
EBS.04 Snapshot without delete-after-N-days
EBS.05 EFS without lifecycle to Infrequent Access
S3 — Object Storage
S3.01 Bucket with no lifecycle policy (logs grow forever in Standard)
S3.02 Standard storage for logs/backups (→ IA/Glacier)
S3.03 Versioning on without lifecycle (old versions accumulate)
S3.04 No Intelligent-Tiering consideration for unknown access patterns
S3.05 Cross-region replication without explicit DR requirement
S3.06 Requester-pays without metering
RDS — Databases
RDS.01 Multi-AZ for dev/staging (doubles cost)
RDS.02 RDS gp2 storage — use gp3
RDS.03 Provisioned IOPS (io1) on RDS without measured need
RDS.04 Backup retention >7 days for non-prod
RDS.05 T2/T3 instance — check if T4g available (ARM, cheaper)
RDS.06 DynamoDB provisioned capacity without auto-scaling
RDS.07 DynamoDB without on-demand for low/unknown traffic
NAT — Networking
NAT.01 NAT Gateway in non-prod (use VPC endpoints: saves $32/mo + data)
NAT.02 Multiple NAT Gateways in one AZ
NAT.03 Classic Load Balancer (deprecated, switch to ALB/NLB)
NAT.04 Elastic IP not associated ($3.60/mo each)
NAT.05 VPC endpoint not used for S3/DynamoDB (paying NAT data fees)
NAT.06 Public IP on EC2 that doesn't need it
TAG — Governance
TAG.01 Missing Owner tag
TAG.02 Missing Environment tag (blocks cost allocation)
TAG.03 Missing CostCenter / Project tag
TAG.04 Inconsistent tag casing (env vs Environment)
TAG.05 No budget alert / cost anomaly detection configured
TAG.06 Resources using deprecated tag keys
IAM — Security (cost-adjacent)
IAM.01 Overly permissive * resource policy
IAM.02 IAM policy with Action: * and Resource: *
IAM.03 Hardcoded credentials in IaC (security + rotation cost)
IAM.04 KMS key without rotation enabled
CW — CloudWatch / Logging
CW.01 Log group with no retention (infinite growth)
CW.02 Detailed monitoring enabled for non-prod
CW.03 CloudWatch Logs Insights without savings plan
CW.04 High-resolution custom metrics where standard suffices
Reading the report
Each finding shows:
- Severity: HIGH (clear waste, easy fix), MED (likely waste), LOW (governance hygiene)
- Rule ID: e.g.
EC2.01
- File:line: exact location in your IaC
- Estimated savings: monthly $ range where calculable
- Fix hint: one-line action to resolve
Pro tier
The free OSS scanner audits IaC files. The Pro tier (license-gated) adds:
- Live AWS account scan (audit running infra, not just code)
- Automated remediation (generates the fixing Terraform)
- Cost trend dashboards
- Slack/Teams alerting
Upgrade at https://takeaseatventure.com/pro
Limitations
- Reads IaC files as parsed text (regex-based) — fast and universal, but cannot
resolve module references or dynamic expressions. For those, review the flagged
resource manually.
- AWS-focused. GCP/Azure support is planned.
- Savings estimates are approximate (based on public AWS pricing, us-east-1).
Pro tips
- Run in CI to catch waste before merge:
python3 scripts/cli.py audit ./infra --json
- The
describe command lists every rule with its fix hint — useful for onboarding.
- Tagging findings (TAG.*) are prerequisites for any FinOps program — fix these first.