LeapScan · Confidential Audit Report
AWS Cost & Security Review — Enterprise (Redacted)
Account: 9876-XXXX-4321  |  Regions: 6 Active  |  Scanned: March 2026  |  Engine: v3.1 / 131 checks
68
Security Score / 100
$4,320
Est. Monthly Waste Found
3
Critical Findings

Cost Optimization Summary

This enterprise environment is largely secure — CloudTrail is on, MFA is enforced, and RDS is encrypted. However, 6 years of EC2 and storage growth have created $4,320/month in verifiable waste. The largest single item is 47 unattached EBS volumes scattered across 6 regions totalling 18TB — many appear to be snapshots from decommissioned machines. Deleting them and migrating 9 remaining gp2 volumes to gp3 storage type would save $2,140/month alone.

Cost Waste Findings
WASTE
47 Unattached EBS Volumes Across 6 Regions Save ~$1,880/mo
Total of 18.3 TB in EBS volumes not attached to any EC2 instance. Average age: 14 months. Largest single orphaned volume: 4TB gp2 in ap-southeast-1 ($400/mo alone).
aws ec2 describe-volumes --filters Name=status,Values=available --query 'Volumes[*].[VolumeId,Size,CreateTime]' --output table
WASTE
9 Remaining gp2 EBS Volumes (Should Be gp3) Save ~$260/mo
GP3 volumes are 20% cheaper than gp2 and deliver 3,000 IOPS by default vs 100 IOPS baseline for gp2. No application change required to migrate.
aws ec2 modify-volume --volume-id vol-0abc123 --volume-type gp3
WASTE
12 Elastic IPs Not Associated With Any Resource Save ~$44/mo
AWS charges $0.005/hr (~$3.65/mo) for each unassociated Elastic IP address. These appear to be from decommissioned NAT gateways and EC2 instances.
aws ec2 describe-addresses --filters Name=instance-id,Values="" --query 'Addresses[*].AllocationId'
WASTE
3 RDS Instances With Zero Connections in Last 30 Days Save ~$1,200/mo
Three db.m5.large Multi-AZ RDS instances (2x PostgreSQL, 1x MySQL) have had no query activity in 30+ days per CloudWatch metrics. These appear to be staging databases left running.
WASTE
CloudWatch Log Groups Without Retention Policy (Infinite Storage) Save ~$940/mo
34 log groups have no retention period set. They are accumulating 2.1TB of logs going back to 2019. Setting a 90-day retention policy and archiving to S3 would significantly reduce costs.
Security Strengths
PASS
MFA Enforced for All 42 IAM Users
All users with console access have MFA configured. Password policy enforces 14+ character minimum with 90-day rotation.
PASS
All S3 Buckets Have Public Access Blocked at Account Level
Account-level S3 Block Public Access is fully enabled. No public buckets detected across all 63 S3 buckets.
PASS
IMDSv2 Enforced on All Running EC2 Instances
All 24 running instances require token-based IMDS access, protecting against SSRF-based metadata credential theft.

Generated by Leaptrix Solutions · LeapScan Engine v3.1 · 131 Checks

This report is confidential. Client account details are redacted for demonstration purposes.

← Back to LeapScan