Amazon Web Services · 214 checks
Your biggest cloud bill, read end to end.
AWS is where most teams spend the most and over-provision the most. Volumes detach from deleted instances and keep billing; dev databases sit on Multi-AZ; security groups quietly open a database port to the whole internet.
InfraSweep inspects roughly 70 AWS services in one read-only pass, pairs each cost finding with real CloudWatch utilization and live AWS pricing, and surfaces the security misconfigurations in the same sweep, so cost and risk are one report, not two tools.
+4 organization-wide checks across an AWS Organization
gp2 → gp3
Migrating gp2 volumes to gp3 is typically cheaper for the same (often better) performance, with zero downtime.
Paying double
A dev RDS instance left on Multi-AZ pays for failover protection non-production doesn't need.
1 scan
Public S3 buckets, public snapshots, and active root access keys are caught in the same pass that finds your savings.
What we scan on AWS
65 security checksA representative sample of the 214 AWS checks, grouped by service domain. Cost waste and security risk are surfaced in the same read-only pass.
Compute & containers
EC2, EBS, Lambda, ECS, EKS, Auto Scaling, SageMaker.EC2 zombie & oversized instances
Idle and over-provisioned instances, backed by real CPU/memory metrics.
Lambda Graviton & forgotten functions
arm64 migration for ~20% off; functions with no recent invocations.
EKS Spot & Karpenter opportunities
Move fault-tolerant node groups to Spot for up to 70% off.
Auto Scaling minimum oversized
ASG floors set higher than demand ever needs.
Storage & database
EBS, S3, RDS, Aurora, DynamoDB, ElastiCache, Redshift.Unattached EBS volumes & orphaned snapshots
Block storage billing for resources that are long gone.
S3 cold-data & lifecycle gaps
Hot-tier data unread for months; Intelligent-Tiering candidates.
RDS idle & Multi-AZ on dev/staging
Databases nobody queries, and non-prod paying 2× for HA.
DynamoDB provisioned waste
Provisioned capacity sitting far above what's consumed.
Network & long tail
Elastic IPs, NAT, ELB, VPC endpoints, Transit Gateway.Unattached Elastic IPs & idle NAT gateways
Hourly charges for plumbing carrying no traffic.
Idle load balancers & orphaned target groups
ALB/NLB and target groups attached to nothing.
Off-hours schedule & tag-coverage
Structural levers: sleep non-prod nights/weekends, fix allocation gaps.
Duplicate CloudTrails & dead alarms
The forgotten operational long tail that quietly bills on.
Security & CSPM
IAM, KMS, public exposure, GuardDuty, CloudTrail, Inspector.Security groups open to 0.0.0.0/0
SSH, RDP, and database ports reachable from the internet.
Public buckets, snapshots & AMIs
Data shared with the entire world, flagged immediately.
IAM root keys, missing MFA, stale keys
Identity hygiene that shrinks your blast radius.
GuardDuty / flow logs / CloudTrail gaps
Detective blind spots named per region.
How you connect
A read-only IAM role (or access keys)
One-click CloudFormation / Terraform from the dashboard, scoped with an ExternalId you control.
How the dollars are calculated
Live AWS bulk pricing per region, with a curated baseline as offline fallback. Every finding records its pricing source.
Every finding is backed by the raw cloud API response it came from, with a confidence score and the pricing source labelled, no black-box numbers.
Scan your AWS estate free
Connect a read-only iam role (or access keys) and run a read-only scan. Findings come priced in real dollars with a fix and the evidence for each.
Start scanning free