Security Findings That Quietly Cost You Money

Most security tools rank findings by attack risk. That's the right primary ordering — a publicly exposed S3 bucket beats an unrotated IAM key every time. But there's a second-order pattern most security tools miss: misconfigurations that don't expose data but do quietly waste money.

Five examples, drawn from the patterns we see most often in customer accounts.

1. Detached EBS volumes from terminated instances

When an EC2 instance terminates, its EBS volumes don't always go with it. If DeleteOnTermination is false (the default for additional volumes attached after launch), the EBS volume keeps charging.

In a typical mid-size AWS account, this accounts for 5–15% of EBS spend. At $0.08/GB-month for gp3, a forgotten 500GB volume costs $40/mo, $480/yr. Find a few of them and the savings compound.

The detection is straightforward: list all EBS volumes with state available (not attached to any instance). Cross-check against CloudTrail to confirm the parent instance was terminated, not just stopped. Bulk-delete after a brief retention window for snapshots.

2. Unattached Elastic IPs

Since February 2024, AWS charges ~$0.005/hour (about $3.60/mo) for every public IPv4 address — attached or not. An EIP doing real work is at least paying for something; an unattached one is pure waste. Sounds small until you find 20 of them across the org — that's $864/yr for addresses doing nothing.

The pattern shows up when an instance gets terminated and the EIP is left dangling, or when test resources get spun up and torn down without releasing the EIP. CloudFormation usually handles this correctly; manual console creation often doesn't.

Detection: ec2:DescribeAddresses and filter for entries where AssociationId is null.

3. Idle load balancers

ALBs and NLBs charge a base hourly fee ($0.0225/hour for ALB, $0.0225/hour for NLB) plus LCU-based usage. An ALB with no targets is still costing $16/mo for the base hourly fee, plus the LCU minimum.

In environments where teams spin up dev infrastructure with ALBs and forget to tear them down, this accumulates. The signal is an ALB whose target groups are all empty (or whose targets are all unhealthy) for an extended period.

4. EBS snapshots without a parent volume

EBS snapshots are charged for storage. When the volume gets deleted but the snapshot doesn't, the snapshot keeps charging — sometimes for years.

Most orgs accumulate snapshots from:

Pre-deployment safety snapshots that nobody removes after the deploy succeeds

AWS Backup retention policies that run longer than intended

Compliance archives that have outgrown their original purpose

Detection: snapshots where the source VolumeId no longer exists. Apply a retention window — keep snapshots from the last 30 days even if the parent volume is gone, delete older ones unless explicitly tagged for retention.

5. CloudTrail trails duplicating data to S3

CloudTrail charges per management event after the first trail. Many orgs accumulate multiple trails — one set up by IT, another by SecOps, a third by a vendor — all logging the same management events to different S3 buckets. The second and third trails are pure waste.

The fix is consolidation: keep one organization-level trail in a centralized log bucket, with appropriate KMS encryption and S3 lifecycle policies. Disable the duplicates. Most orgs see CloudTrail costs drop 50%+ from this single change.

Why these don't show up in security tools

Most security tools (AWS Security Hub, Wiz, Prisma) are tuned for attack-surface risk. None of these examples expose customer data or grant unauthorized access — they just waste money. They're "low severity" by the security definition, often not flagged at all.

Cost optimization tools (AWS Trusted Advisor, Compute Optimizer, third-party FinOps platforms) catch some of these. But they don't catch the security-adjacent ones — the duplicated CloudTrail trails, the over-broad IAM session policies that bloat audit logs.

The combined view is where the value is. Refine surfaces both — cost recommendations alongside security findings — so the team doing AWS hygiene work sees both classes of waste in one ranked list. The patterns tend to share root causes (poor resource lifecycle hygiene, no tag-based accountability, deferred cleanup), so fixing them together is more efficient than fixing them serially.

The financial impact

Across the customer engagements we've seen, "security-adjacent waste" — these five patterns plus a handful of others — typically account for 5–10% of monthly AWS spend in accounts that haven't been audited. On a $30k/mo bill, that's $1,500–$3,000/mo recovered. $18k–$36k/yr.

The fix in most cases is mechanical: detect, validate, delete. The hard part is finding them — buried in tens of thousands of resources, easy to miss without a tool that surfaces them ranked by dollar impact.

That's where the right tool earns its keep. Not by being magical, but by making the patterns visible.

---

Refine surfaces 380+ security findings alongside cost recommendations, including the security-adjacent waste patterns above. [See security findings](/product/security).