18 AWS Cost Optimizations We Find in Every Audit

The same patterns, every account

Compute: where most of the money goes

• ✓ ✅ Idle EC2 instances running internal tools. That admin dashboard getting 12 requests a day does not need a t3.xlarge running 24/7. Containerize it and deploy to ECS Fargate or Lambda with API Gateway. Scale-to-zero eliminates the baseline cost entirely. Typical savings: 50–70% on that workload.
• ✓ ✅ Dev and staging environments running around the clock. Your dev environment does not need to run at 2 AM on a Saturday. Use AWS Instance Scheduler or EventBridge rules with Lambda to shut down non-production EC2 and RDS instances outside business hours. Typical savings: 35% of non-production compute spend.
• ✓ 🔄 Over-provisioned EKS clusters. We routinely find EKS node groups running at 10–15% average CPU utilization. Deploy Karpenter for dynamic node provisioning, right-size node pools based on actual pod requests, and use Spot Instances for fault-tolerant workloads. Typical savings: 40–50% on EKS infrastructure.
• ✓ 🔄 Over-provisioned ECS Fargate tasks. Teams set generous CPU and memory values during development and never revisit them. Use Container Insights metrics to identify tasks requesting 2 vCPU but averaging 0.3 vCPU. Right-size task definitions based on p95 utilization. Typical savings: 30–60% per service.
• ✓ ✅ Unused Elastic IPs. Since February 2024, AWS charges $3.65 per month for every public IPv4 address, including ones attached to running instances. Orphaned Elastic IPs from decommissioned load balancers and terminated instances add up quietly. Run aws ec2 describe-addresses and release anything unattached. Typical savings: $3.65 per IP per month, and most accounts have 10–50 orphaned.

Storage: the slow leak

• ✓ ✅ S3 data sitting in Standard tier indefinitely. Application logs, old backups, and archived exports rarely get accessed after the first week. Configure S3 Lifecycle policies to transition objects to Intelligent-Tiering at 30 days, Glacier Flexible Retrieval at 90 days, and Glacier Deep Archive at 180 days. Typical savings: 60–70% on storage costs within one quarter.
• ✓ ✅ Unattached EBS volumes. When EC2 instances are terminated, their EBS volumes often persist. GP3 volumes at 100 GB each cost $8 per month, and most accounts accumulate dozens. Run aws ec2 describe-volumes with a filter for available status. Snapshot anything needed for compliance, then delete. Typical savings: $8–20 per orphaned volume per month.
• ✓ 🔄 EBS volumes on wrong tier. GP2 volumes cost more than GP3 and deliver lower baseline IOPS. IO1 volumes provisioned for peak load that never materializes waste even more. Audit volume types against actual IOPS and throughput metrics in CloudWatch. Migrate GP2 to GP3 for an immediate 20% cost reduction with better performance.

Data and analytics: the query tax

• ✓ 🔄 Unpartitioned Athena queries. Athena charges $5 per TB scanned. Without partitioning, every query scans the entire dataset. Partition S3 data by date using Hive-style paths (year/month/day) and register partitions with partition projection. Cluster frequently filtered columns. Typical savings: 60–80% on Athena query costs.
• ✓ ✅ RDS read replicas running 24/7 for batch jobs. That read replica exists for a weekly ETL job that runs for 3 hours. Use EventBridge and Lambda to spin up the replica before the job and terminate it after. Typical savings: $300–600 per month per replica.
• ✓ ✅ CloudWatch log groups with no retention policy. By default, CloudWatch Logs retains data forever. Application debug logs from two years ago are still being stored and billed. Set retention policies: 7 days for debug, 30 days for application logs, 90 days for audit logs. Export anything needed long-term to S3. Typical savings: 40–60% on CloudWatch Logs costs.
• ✓ ✅ Unused CloudWatch alarms and dashboards. Legacy alarms for decommissioned services and dashboards nobody opens still generate metrics API calls. Audit with aws cloudwatch describe-alarms and disable anything targeting resources that no longer exist. Typical savings: $50–300 per month depending on alarm count.
• ✓ 🔄 DynamoDB over-provisioned capacity. Tables set to provisioned mode with generous read and write capacity that never gets used. If traffic is unpredictable or spiky, switch to on-demand mode. If traffic is steady but over-provisioned, right-size the provisioned units using CloudWatch consumed capacity metrics. Typical savings: 30–50% per table.

Networking: the invisible bill

• ✓ 🔄 NAT Gateway overuse. NAT Gateway charges $0.045 per GB processed plus $0.045 per hour. For services calling AWS APIs (S3, DynamoDB, SQS), that traffic routes through NAT unnecessarily. Deploy VPC Endpoints (Gateway endpoints for S3 and DynamoDB are free) and Interface endpoints for other services. Typical savings: $500–2,000 per month for data-heavy workloads.
• ✓ 🔄 Cross-region data transfer. Replicating data between regions for redundancy that was never formally required. Or running compute in us-east-1 while the primary database sits in eu-west-1. Colocate compute and storage in the same region. Use CloudFront for global distribution instead of multi-region deployments. Typical savings: $0.02 per GB eliminated, which adds up to hundreds monthly for high-throughput services.
• ✓ ✅ S3 transfer acceleration left enabled. Teams enable S3 Transfer Acceleration for a one-time migration and forget to disable it. Every subsequent upload pays the accelerated rate. Check bucket configurations and disable for buckets that no longer need it. Typical savings: $0.04 per GB that reverts to standard pricing.

Security and observability: cost by default

• ✓ ✅ WAF rules with overly broad scope. Default AWS Managed Rule groups applied to every ALB catch threats but also generate significant request evaluation costs. Audit rule group match rates. Disable rules with zero matches over 30 days. Scope remaining rules to specific paths rather than all traffic. Typical savings: 20–40% on WAF costs.
• ✓ ✅ VPC Flow Logs at full volume. Capturing all traffic including accepted packets on every ENI generates enormous CloudWatch Logs volume. Filter to rejected traffic only for security monitoring. For compliance needs, send to S3 in Parquet format instead of CloudWatch. Typical savings: 50–70% on flow log storage.
• ✓ ✅ GuardDuty and Security Hub in unused regions. If you only operate in us-east-1 and eu-west-1, GuardDuty running in all 20+ regions generates findings for empty accounts and charges for each. Disable in regions with no resources. Typical savings: small per region but meaningful in aggregate across services.

Turning findings into a system

• ✓ Schedule a monthly cost review. Compare current spend against the post-optimization baseline. Flag any service that drifted more than 10%.
• ✓ Automate what you can. Budget alerts, anomaly detection, and Instance Scheduler run without human intervention.
• ✓ Assign ownership. Every workload needs a cost owner. Not the finance team. The engineer or team that provisions and operates it.
• ✓ Start with the quick wins. The eleven optimizations marked with ✅ above require less than two hours each and build momentum for the strategic changes.