Governance · 136 checks

Tidy up the long tail of forgotten resources.

Individually they're small; together they're a meaningful slice of the bill. Duplicate trails, alarms stuck on INSUFFICIENT_DATA, dashboards nobody opens, queues and topics wired to nothing, pipelines that never ran.

Graymole sweeps the operational long tail across AWS, GCP, and Azure, including Azure platforms facing retirement (APIM stv1, Logic Apps ISE, Edgio CDN, classic App Insights), and surfaces structural levers too: tag coverage, off-hours scheduling, and region price arbitrage.

Where the money is

  • Dozens of forgotten resources (orphaned target groups, idle Glue jobs, unused WAF rules) add up.
  • Tag coverage gaps make every other optimization harder; fix them and the rest gets easier.
  • Off-hours scheduling on non-prod can cut those resources' cost by roughly two-thirds.
  • Region price arbitrage and carbon hotspots reveal cheaper, cleaner places to run the same workload.

~65%

Shutting non-production resources nights and weekends removes about 65% of their runtime (and cost) with no impact on delivery.

What we check

A representative sample, grouped by theme: Governance has 136 checks across AWS, GCP, and Azure.

Structural savings levers

5 checks

The big wins: changes that move the bill far more than any single resource.

Off-hours schedule candidates

Non-prod resources that could sleep nights & weekends (~65% off).

Tag coverage report

Untagged resources blocking cost allocation and accountability.

Region price arbitrage

The same workload runs cheaper in another region.

Carbon-intensity hotspots

Greener regions for the same compute.

ECS dev/staging services running 24/7

Non-prod containers that never clock off.

Forgotten resources

8 checks

The long tail of provisioned-and-abandoned that quietly bills on.

ELB target groups orphaned

Target groups attached to nothing.

Azure retired-platform migrations

APIM stv1, Logic Apps ISE, Edgio CDN, classic App Insights: move before the deadline.

Azure Managed HSM in non-prod

A premium security appliance billing in dev/test.

Glue jobs idle

ETL jobs that haven't run in ages.

WAFv2 rules with no traffic

Web-ACL rules evaluating nothing.

App Runner services paused for months

Paused services still incurring baseline cost.

Empty Cognito user pools

User pools with zero users.

CodePipeline / CodeDeploy never used

Pipelines and apps that never ran.

Observability hygiene

6 checks

Monitoring you're paying for that no longer earns its keep.

CloudWatch alarms stuck in INSUFFICIENT_DATA

Alarms that never evaluate: cost and noise.

CloudWatch dashboards unused

Dashboards nobody has opened in months.

CloudWatch metric streams idle

Streams exporting metrics no one consumes.

AWS Config recording all resources (no filter)

Recording everything when a subset would do.

Athena workgroups without query cost cap

No guardrail on per-query scan spend.

S3 buckets without access logging

Blind spots for both cost and security review.

Messaging & eventing

6 checks

Queues, topics, and rules wired to nothing, or missing a safety net.

SNS topics with no subscriptions

Topics publishing into the void.

Abandoned empty SQS queues

Queues with no producers or consumers.

Production SQS queues without a DLQ

No dead-letter queue to catch failures.

EventBridge rules with no targets

Rules that fire into nowhere.

SES account in sandbox

Email capped in sandbox long after launch.

Unused SES identities

Verified senders nothing uses.

See your governance savings

Connect a read-only role and run a free scan. Governance findings come priced in real dollars with a fix for each.

Start scanning free

Explore more

Compute 69 Storage 45 Database 54 Network 35 Security 132