Cloud Waste Detection and Cleanup Pack

We built this so you don't have to manually hunt down idle EC2 instances at 2 AM. You know the drill: the monthly cloud bill arrives, it's 20% higher than forecast, and suddenly you're playing forensic accountant across three different cloud consoles. You have resources spinning that nobody remembers provisioning, databases eating RDS storage with zero traffic, and load balancers hanging off the end of the world.

The problem isn't just the money. It's the opacity. Most engineering teams treat cloud waste as a "finance problem" rather than an engineering workflow issue. You're expected to manage multi-cloud environments with manual spot checks and spreadsheets that are already stale. Without automated guardrails, your infrastructure drifts into a state of expensive decay. As noted in recent industry shifts, reducing waste and managing commitments are now top key priorities for engineering leadership, yet the tooling to actually enforce this at scale remains fragmented ^[3]. We've seen teams waste weeks just trying to correlate usage metrics with billing IDs before they even know what to delete.

If you're still relying on the Cloud Cost Optimization Pack for high-level rightsizing but lack the automated enforcement layer, you're leaving the heavy lifting to manual review. You can't optimize what you can't safely touch.

The Silent Tax of Unchecked Cloud Spend

Ignoring cloud waste isn't free. Every hour your engineers spend manually auditing the console is an hour they aren't shipping features. We're talking about real dollars bleeding out through unmonitored egress, oversized containers, and orphaned snapshots. When you don't have automated anomaly detection and guardrails in place, you aren't just losing money; you're losing velocity ^[5].

Consider the downstream incident risk. When cleanup is manual, it's inconsistent. Someone deletes a production database because they missed a tag, or worse, they leave a high-cost resource running because they were afraid to touch it. The cost of a single misconfigured cleanup script that runs without safety rails can wipe out months of savings. You need a system that catches 12 issues your team misses, flags them with context, and enforces a dry-run before any action is taken. Without this, your FinOps strategy is just a suggestion.

For teams running containerized workloads, the waste can be even more insidious. If you're managing Kubernetes clusters, you might be using the Kubernetes Cost Governance Pack to set resource requests, but if you don't have a parallel mechanism to detect and kill zombie pods or idle nodes, your cluster is still leaking cash. The gap between "governance" and "enforcement" is where your budget disappears.

A Hypothetical Scenario: The Midnight Cleanup That Woke Up the CTO

Imagine a mid-sized fintech with 200 endpoints. They have a policy: "delete anything idle for 30 days." In practice, this policy lives in a Confluence page that nobody reads.

Last month, a junior engineer spun up a c5.4xlarge instance to debug a memory leak in a staging environment. They forgot to terminate it. It ran for 45 days. The bill was $1,800. Meanwhile, their CI/CD pipeline created 500GB of orphaned EBS snapshots from failed builds. Those snapshots sat there, invisible to the dashboard, costing $40/month each. Total waste: $3,800 in a single month.

Now, picture the same team with automated shadow waste detection. A tool like Adaptive6 or a custom Custodian policy runs daily, flagging the c5.4xlarge as an anomaly before the bill arrives ^[4]. The system doesn't just alert; it correlates the resource with the engineer's Jira ticket, confirms the debug session is closed, and applies a mark-for-op action. The instance is scheduled for deletion in 7 days. The engineer gets a Slack notification: "Your debug instance is scheduled for cleanup. Reply 'KEEP' if you need more time."

This isn't magic. It's the difference between hoping your team remembers to clean up and building a pipeline that forces the cleanup. If you're looking for a broader context on how to structure these workflows, the AWS Cost Optimization Playbook Pack provides excellent foundational playbooks for tagging and rightsizing, but it stops short of the automated enforcement we're installing here.

What Changes Once You Lock Down the Cleanup Pipeline

With the Cloud Waste Detection and Cleanup Pack installed, your cloud estate stops being a mystery box. You get a deterministic workflow that detects waste, validates intent, and executes cleanup safely.

First, you get enterprise-grade guardrails that verify agents or scripts operate within defined boundaries ^[1]. Our validate-c7n-config.py script ensures that no policy can execute a stop or delete action without a preceding mark-for-op or a dry-run flag. You can't break production by accident anymore. The JSON schema validator catches structural errors before the policy ever hits the cloud provider's API.

Second, you get multi-cloud visibility. Whether you're on AWS, Azure, or GCP, the pack provides worked examples and templates that speak the native language of Cloud Custodian. You can run a dry-run across your entire account, see a list of 500 idle resources, and approve the cleanup in one click. The CI/CD pipeline template integrates this into your existing GitHub Actions workflow, so cleanup becomes part of your deployment cycle, not a separate chore.

If you're comparing costs across providers, you can use the Multi-Cloud Cost Comparison Framework Pack to normalize the data, but once the data is normalized, this pack is what actually reduces the footprint. And for serverless workloads, where waste often hides in cold starts or unused functions, the Serverless Cost Modeling Pack helps you model the drivers, while this pack helps you remove the dead weight.

What's in the Cloud Waste Detection and Cleanup Pack

We didn't just write a blog post. We shipped a production-grade toolkit. This is the file manifest. Every file is tested, versioned, and ready to drop into your repo.

• skill.md — Orchestrator skill guide: defines the FinOps waste detection workflow, safety rails, and references all templates, scripts, validators, references, and examples.
• templates/custodian-policy.yaml — Production-grade Cloud Custodian policy template with multi-cloud safety rails: mark-for-op delays, metric/value filters, and structured notifications.
• templates/cleanup-pipeline.yml — CI/CD pipeline template (GitHub Actions) to run Custodian policies with dry-run enforcement, approval gates, and Slack/email alerting.
• scripts/run-cleanup.sh — Executable bash script: validates environment, runs schema/YAML checks, executes dry-run, prompts for confirmation, and applies policies safely.
• scripts/validate-c7n-config.py — Python validator script: parses policy YAML, enforces safety rules (no direct stop/delete without mark-for-op or dry-run flag), exits 1 on failure.
• validators/c7n-policy-schema.json — JSON Schema for structural validation of Cloud Custodian policy documents, ensuring required keys and correct action/filter types.
• references/canonical-knowledge.md — Curated authoritative knowledge from Cloud Custodian docs: modes (periodic, cloudtrail, guard-duty), filters (metric, value, event), actions (mark-for-op, stop, delete, notify), and safety patterns.
• examples/aws-idle-resources.yaml — Worked example for AWS: idle EC2 instances, unused RDS databases, and GuardDuty-triggered remediation using real C7N syntax.
• examples/azure-underutilized.yaml — Worked example for Azure: low DTU SQL servers, high queue message counts, and empty resource group cleanup with real C7N syntax.
• examples/gcp-stale-jobs.yaml — Worked example for GCP: hanged Dataflow jobs, Vertex AI batch prediction cleanup, and endpoint inventory using real C7N syntax.

Stop Guessing, Start Cleaning

You have two choices. You can keep hoping your engineers remember to tag their resources and manually delete them before the end of the month. Or you can install a pipeline that enforces cleanup, validates every action, and sends you a report of savings generated.

Embracing FinOps isn't just about reporting; it's about operationalizing cost control with tools that simplify estimates and set up guardrails ^[7]. We built this pack so you can stop guessing and start cleaning. Upgrade to Pro to install the Cloud Waste Detection and Cleanup Pack and take back control of your cloud spend.

If you want to dive deeper into intelligent cost optimization strategies, check out the Building Intelligent Cloud Infrastructure Cost Optimizers Pack for advanced heuristics.