Waste Detection
The Waste Detection engine is the core diagnostic module of AWS Doctor. It scans your account for “zombie” resources—assets that are active and billing but provide zero value to your business.
How to Run
Use the waste subcommand to trigger a full scan across all supported services:
aws-doctor waste --region us-east-1
Selective Scanning
If you only want to scan specific AWS services, you can pass them as arguments to the subcommand. This is useful for faster execution or targeted cleanups.
| Argument | Service |
|---|---|
ec2 | EC2 instances, EBS volumes, snapshots, key pairs, AMIs. |
elb | Application and Network Load Balancers. |
s3 | S3 buckets and multipart uploads. |
rds | RDS instances and snapshots. |
lambda | Lambda over-provisioned memory detection. |
vpc | NAT Gateways and idle VPC resources. |
cloudwatch | CloudWatch Log Groups without retention policies. |
sagemaker | SageMaker idle endpoint detection (zero invocations in 14 days). |
ecr | ECR repositories without lifecycle policies, empty repositories, and untagged images. |
secrets-manager | Secrets Manager secrets not accessed within the idle threshold. |
# Example: Scan only EC2 and SageMaker resources
aws-doctor waste ec2 sagemakerConfiguration Flags
The waste and report waste subcommands support specific flags to tune the detection logic:
| Flag | Default | Description |
|---|---|---|
--lambda-memory-threshold | 10 | Memory utilization threshold (%) below which Lambda functions are flagged as over-provisioned. |
--secrets-idle-days | 90 | Idle days threshold for flagging unused Secrets Manager secrets. |
Region-Aware Cost Estimation
Every waste check that reports an estimated monthly cost uses live pricing data fetched directly from the AWS Pricing API at startup.
How it works
- When you run
aws-doctor waste, the tool queries the AWS Pricing API for your configured region before executing any checks. - The fetched rates are cached in memory for the duration of the command.
- Each waste check multiplies the resource’s usage (size, hours, count) by the region-specific rate to produce an accurate cost estimate.
Fallback behaviour
If the API call fails for any reason (insufficient permissions, network error, unsupported region), AWS Doctor silently falls back to built-in default rates based on us-east-1 pricing. The waste scan always completes — you will never see a hard failure because of pricing data.
pricing:GetProducts. Without it, the tool still works — estimates silently fall back to built-in defaults.Categories of Detection
We group waste into primary infrastructure categories:
Compute and EBS
EC2 instances stopped for >30 days, orphaned volumes, stale snapshots, expired RIs, and over-provisioned Lambda memory.
Databases
Stopped RDS instances, manual snapshots older than 30 days, and idle database instances.
Storage & Logs
Buckets without lifecycle policies, hidden incomplete multipart uploads, Log Groups with no retention, and ECR container image waste.
Networking
Unassociated Elastic IPs, idle Load Balancers, and idle NAT Gateways.
Machine Learning
Active SageMaker endpoints with zero invocations in the last 14 days.
Configuration and Secrets
Secrets Manager secrets not accessed within the configured idle threshold.
Why automate this?
In large organizations, developers often create temporary resources (testing an AMI, spinning up a sandbox EIP) and forget to delete them. Over time, these small charges aggregate into thousands of dollars of “infrastructure debt.”
AWS Doctor makes it trivial to run a weekly checkup and keep your account lean.