Amazon Web Services · 214 checks

Your biggest cloud bill, read end to end.

AWS is where most teams spend the most and over-provision the most. Volumes detach from deleted instances and keep billing; dev databases sit on Multi-AZ; security groups quietly open a database port to the whole internet.

InfraSweep inspects roughly 70 AWS services in one read-only pass, pairs each cost finding with real CloudWatch utilization and live AWS pricing, and surfaces the security misconfigurations in the same sweep, so cost and risk are one report, not two tools.

+4 organization-wide checks across an AWS Organization

gp2 → gp3

Migrating gp2 volumes to gp3 is typically cheaper for the same (often better) performance, with zero downtime.

Paying double

A dev RDS instance left on Multi-AZ pays for failover protection non-production doesn't need.

1 scan

Public S3 buckets, public snapshots, and active root access keys are caught in the same pass that finds your savings.

What we scan on AWS

65 security checks

A representative sample of the 214 AWS checks, grouped by service domain. Cost waste and security risk are surfaced in the same read-only pass.

Compute & containers

EC2, EBS, Lambda, ECS, EKS, Auto Scaling, SageMaker.

EC2 zombie & oversized instances

Idle and over-provisioned instances, backed by real CPU/memory metrics.

Lambda Graviton & forgotten functions

arm64 migration for ~20% off; functions with no recent invocations.

EKS Spot & Karpenter opportunities

Move fault-tolerant node groups to Spot for up to 70% off.

Auto Scaling minimum oversized

ASG floors set higher than demand ever needs.

Storage & database

EBS, S3, RDS, Aurora, DynamoDB, ElastiCache, Redshift.

Unattached EBS volumes & orphaned snapshots

Block storage billing for resources that are long gone.

S3 cold-data & lifecycle gaps

Hot-tier data unread for months; Intelligent-Tiering candidates.

RDS idle & Multi-AZ on dev/staging

Databases nobody queries, and non-prod paying 2× for HA.

DynamoDB provisioned waste

Provisioned capacity sitting far above what's consumed.

Network & long tail

Elastic IPs, NAT, ELB, VPC endpoints, Transit Gateway.

Unattached Elastic IPs & idle NAT gateways

Hourly charges for plumbing carrying no traffic.

Idle load balancers & orphaned target groups

ALB/NLB and target groups attached to nothing.

Off-hours schedule & tag-coverage

Structural levers: sleep non-prod nights/weekends, fix allocation gaps.

Duplicate CloudTrails & dead alarms

The forgotten operational long tail that quietly bills on.

Security & CSPM

IAM, KMS, public exposure, GuardDuty, CloudTrail, Inspector.

Security groups open to 0.0.0.0/0

SSH, RDP, and database ports reachable from the internet.

Public buckets, snapshots & AMIs

Data shared with the entire world, flagged immediately.

IAM root keys, missing MFA, stale keys

Identity hygiene that shrinks your blast radius.

GuardDuty / flow logs / CloudTrail gaps

Detective blind spots named per region.

How you connect

A read-only IAM role (or access keys)

One-click CloudFormation / Terraform from the dashboard, scoped with an ExternalId you control.

AWS-managed SecurityAudit + ViewOnlyAccess. No write access, ever. Revoke it any time in your console.

How the dollars are calculated

Live AWS bulk pricing per region, with a curated baseline as offline fallback. Every finding records its pricing source.

Every finding is backed by the raw cloud API response it came from, with a confidence score and the pricing source labelled, no black-box numbers.

Scan your AWS estate free

Connect a read-only iam role (or access keys) and run a read-only scan. Findings come priced in real dollars with a fix and the evidence for each.

Start scanning free

Other clouds we scan