🕵️ AWS Forgotten Resource Detective

Overview

The AWS Forgotten Resource Detective is a comprehensive PowerShell script designed to identify and analyze AWS resources that may be forgotten, unused, or misconfigured, potentially leading to unnecessary costs. This tool is part of the "FinOps for Everyone" series and helps organizations optimize their AWS spending by detecting orphaned resources and suspicious patterns.

Features

Resource Detection Capabilities

Cost Analysis

• Estimates monthly costs for identified resources
• Calculates potential savings from cleanup activities
• Provides cost impact assessments (High/Medium/Low)

Reporting

• HTML Report: Rich, interactive report with visual styling and actionable insights
• CSV Export: Structured data export for further analysis
• Console Summary: Real-time progress and summary information

Prerequisites

System Requirements

• PowerShell: Version 5.1 or later
• AWS CLI: Latest version installed and configured
• AWS Authentication: User must be logged in with aws configure

Required Permissions

• ReadOnlyAccess: Access to EC2, ELB, S3, and other services
• Cost Explorer: For cost analysis (optional but recommended)

AWS CLI Setup

# Install AWS CLI (if not already installed)
# Download from: https://aws.amazon.com/cli/

# Configure AWS CLI
aws configure

# Verify access to AWS account
aws sts get-caller-identity

Usage

Basic Syntax

.\aws-forgotten-resources-detector.ps1 -Region "<region-name>"

Parameters

Example Usage

Basic Analysis

# Analyze resources in us-east-1 with default settings
.\aws-forgotten-resources-detector.ps1 -Region "us-east-1"

Custom Configuration

# Custom thresholds and output paths
.\aws-forgotten-resources-detector.ps1 \
    -Region "us-west-2" \
    -DaysThreshold 60 \
    -OutputPath "C:\Reports\aws-analysis.html" \
    -CsvOutputPath "C:\Reports\aws-analysis.csv" \
    -ProfileName "production"

Enterprise Analysis

# Analyze multiple regions
$regions = @(
    "us-east-1",
    "us-west-2",
    "eu-west-1"
)

foreach ($region in $regions) {
    .\aws-forgotten-resources-detector.ps1 \
        -Region $region \
        -OutputPath "report-$region.html" \
        -CsvOutputPath "report-$region.csv" \
        -ProfileName "production"
}

Detection Patterns

Orphaned Resources

The script identifies truly orphaned resources that incur costs without providing value:

Suspicious Patterns

Cost Estimation

The script provides estimated monthly costs for each identified resource based on AWS pricing. These estimates help prioritize cleanup efforts based on potential savings.

Cost Calculation Methodology

# Example cost calculation for EBS volumes
function Calculate-EBSVolumeCost {
    param($volumeType, $sizeGB, $iops)
    
    switch ($volumeType) {
        "gp2" { return $sizeGB * 0.10 }  # $0.10 per GB-month
        "gp3" { return ($sizeGB * 0.08) + ($iops * 0.005) }  # $0.08 per GB-month + $0.005 per IOPS
        "io1" { return ($sizeGB * 0.125) + ($iops * 0.065) }  # $0.125 per GB-month + $0.065 per IOPS
        "st1" { return $sizeGB * 0.045 }  # $0.045 per GB-month
        "sc1" { return $sizeGB * 0.015 }  # $0.015 per GB-month
        default { return $sizeGB * 0.10 }  # Default to gp2 pricing
    }
}

Sample Cost Impact

Report Output

The script generates comprehensive reports to help you analyze and act on the findings:

HTML Report

A rich, interactive HTML report with visual styling that includes:

• Executive summary with total potential savings
• Resource breakdown by type and risk level
• Detailed findings with resource IDs, ages, and estimated costs
• Cleanup recommendations and best practices
• Sample AWS CLI commands for remediation

CSV Export

A structured CSV file containing all findings for further analysis or integration with other tools:

ResourceId,ResourceType,Name,Age,EstimatedMonthlyCost,RiskLevel,RecommendedAction
vol-0123456789abcdef0,EBS Volume,N/A,45,$10.00,High,Delete or snapshot if needed
eipalloc-0123456789abcdef0,Elastic IP,N/A,120,$3.65,Medium,Release if not needed
sg-0123456789abcdef0,Security Group,unused-sg,90,$0.00,Low,Delete if not referenced
snap-0123456789abcdef0,EBS Snapshot,backup-2024-01-15,150,$5.00,Medium,Delete if outdated

Safety & Best Practices

Safe Usage Guidelines

Recommended Workflow

1. Run the script with default settings to get an initial assessment
2. Review the HTML report to understand the findings
3. Export CSV data for team review or ticketing system integration
4. Create a remediation plan for identified resources
5. Implement cleanup actions with appropriate approvals
6. Re-run the script to verify improvements

Troubleshooting

Common Issues

Debugging Tips

• Run AWS CLI commands manually to verify access and permissions
• Check AWS CloudTrail for API access denied errors
• Verify AWS region spelling and availability
• Ensure PowerShell execution policy allows script execution

Integration Options

Automation Scenarios

The AWS Forgotten Resource Detective can be integrated into various workflows:

• Scheduled Tasks: Run weekly/monthly for ongoing monitoring
• CI/CD Pipelines: Include in infrastructure validation steps
• Cloud Governance: Part of regular compliance checks
• Cost Optimization Initiatives: Regular cleanup campaigns

Integration with AWS Organizations

# Example script to run across all accounts in an AWS Organization
$accounts = aws organizations list-accounts --query "Accounts[?Status=='ACTIVE'].Id" --output text

foreach ($account in $accounts) {
    # Assume role in target account
    $credentials = aws sts assume-role --role-arn "arn:aws:iam::$account:role/OrganizationAccountAccessRole" --role-session-name "ResourceDetective"
    
    # Set temporary credentials
    $env:AWS_ACCESS_KEY_ID = $credentials.Credentials.AccessKeyId
    $env:AWS_SECRET_ACCESS_KEY = $credentials.Credentials.SecretAccessKey
    $env:AWS_SESSION_TOKEN = $credentials.Credentials.SessionToken
    
    # Run detective script
    .\aws-forgotten-resources-detector.ps1 -Region "us-east-1" -OutputPath "report-$account.html"
    
    # Clear credentials
    Remove-Item env:AWS_ACCESS_KEY_ID
    Remove-Item env:AWS_SECRET_ACCESS_KEY
    Remove-Item env:AWS_SESSION_TOKEN
}

Performance

Resource Requirements

The script's performance depends on the size of your AWS environment:

• Small environments (< 100 resources): 1-2 minutes
• Medium environments (100-1000 resources): 2-5 minutes
• Large environments (1000+ resources): 5-15+ minutes

Optimization Tips

• Run region-specific analysis instead of global scans
• Use AWS CLI pagination settings for large environments
• Consider running in parallel for multiple regions
• Use AWS Config queries where available for faster results

Version History

Conclusion

The AWS Forgotten Resource Detective is a powerful tool for identifying cost optimization opportunities in your AWS environment. By regularly scanning for orphaned and suspicious resources, you can significantly reduce your cloud spend and improve your cloud governance posture.

Remember that this tool is part of a broader FinOps strategy. Combine it with proper tagging policies, resource lifecycle management, and regular reviews to maximize your cloud cost efficiency.