惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Cloudbric
Cloudbric
I
InfoQ
V
V2EX
博客园_首页
The Register - Security
The Register - Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Secure Thoughts
Vercel News
Vercel News
Forbes - Security
Forbes - Security
云风的 BLOG
云风的 BLOG
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
D
DataBreaches.Net
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
B
Blog RSS Feed
A
About on SuperTechFans
N
News and Events Feed by Topic
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
Attack and Defense Labs
Attack and Defense Labs
N
Netflix TechBlog - Medium
Spread Privacy
Spread Privacy
F
Full Disclosure
Recorded Future
Recorded Future
AWS News Blog
AWS News Blog
博客园 - 【当耐特】
The Cloudflare Blog
T
Threatpost
T
Tor Project blog
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
A
Arctic Wolf
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
小众软件
小众软件
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
Security Latest
Security Latest
The Last Watchdog
The Last Watchdog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Shadow Cloud Spend: $50k a Month FinOps Audit of Forgotten Dev Accounts
Muskan · 2026-05-07 · via DEV Community

Muskan

The Shadow Cloud Spend: $50k a Month Hiding in Forgotten Dev Accounts

Every mid-size engineering organization has 5 to 15 AWS accounts that nobody actively owns. The "POC" account from 2024. The "team-old-name" account that survived the 2025 reorg. The "consultant-X-temp" account that got a working IAM role and then went quiet. Each one runs a few NAT gateways, an idle RDS, EBS volumes from 2023, and a CloudWatch log group with infinite retention.

Shadow cloud spend in those forgotten accounts totals $30,000 to $80,000 per month per organization. None of it produces business value. None of it shows up cleanly on the FinOps dashboard, because cost-allocation tag schemes assume the account has an active owner and the forgotten accounts have stale or no tags.

The accounts are hard to see for the same reason they are hard to reclaim. The original owner left. The team got renamed. The IAM root credentials are in a stale 1Password vault. AWS Organizations sees the account but no human has logged in for 9 months. So the cleanup gets postponed forever, and the bill compounds.

This post is the playbook. Inventory the accounts you forgot you have. Audit what is running in each. Decide per-account: archive, delete, adopt, or invoice. Then the structural fix: an account lifecycle policy that prevents the next round of orphans. The pattern composes with closed-loop FinOps and the cost-per-customer attribution work that gives you visibility on the bill in the first place.

The 5-15 unowned-account pattern

Talk to FinOps practitioners at any organization with more than a year of AWS history and 200+ engineers. The same archetype emerges every time. Four shapes account for most forgotten accounts.

Archetype Typical resources running Monthly spend
The 2024 POC account (project never moved to prod) 2 NAT gateways, 1 t3.large EC2, RDS db.t3.medium, 200 GB EBS $4,200
The renamed-team account (org chart changed, account name did not) 1 NAT gateway, 6 idle EBS volumes, S3 bucket with versioning enabled, Lambda hourly cron with no purpose $1,800
The consultant temp account (engagement ended, account stayed) 1 NAT gateway, 1 RDS Multi-AZ, EFS volume with 80 GB stale data $3,600
The disaster-recovery test account (test happened, account stayed) Cross-region replication still running, 4 EBS snapshots from 2024, 1 forgotten Elastic IP $2,400

Mid-size orgs typically have 8 to 12 accounts matching one of these archetypes. Total shadow spend lands $30,000 to $80,000 per month. At the upper end, this is roughly 5 percent of total cloud spend for an organization in the $1M to $2M monthly range, all of it producing zero business value. The pareto is heavy: of 10 unowned accounts, 2 typically account for 60 to 80 percent of the total shadow bill. Triage them first.

What is actually running in there

The audit checklist for an unowned account is short. Five resource types account for almost all the persistent cost.

Resource Typical monthly cost Why it persists
NAT Gateway (idle) $32 fixed + small data fees Single biggest forgotten-account driver; runs even when no real traffic flows
RDS instance (idle, Multi-AZ) $50 to $300 RDS does not scale to zero; idle RDS bills the same as busy RDS
EBS volume (unattached) $0.08 per GB-month Unattached EBS bills indefinitely; 1 TB volume costs $80 per month for nothing
Elastic IPs (unattached) $3.65 per EIP per month AWS charges for unused EIPs; 4 forgotten EIPs is ~$15 per month per account
CloudWatch log groups (infinite retention) $0.03 per GB-month + ingest Default retention is "Never expire"; 200 GB of logs costs $6 per month, growing forever

Architecture diagram

NAT gateways are the single biggest driver. A forgotten NAT in a quiet account costs $40 to $100 per month because there is still small egress from CloudWatch agent telemetry, S3 health checks, or stale Lambda functions logging to a CloudWatch log group. The fixed $32 per month is the floor; the data processing on stale background traffic adds another $10 to $70 depending on what tooling was left running.

Why your dashboards miss them

Cost dashboards are designed for active accounts. Tag-based allocation, business-unit roll-ups, monthly budget comparisons. The whole machinery assumes the account has an owner who tagged resources and watches the budget. Forgotten accounts break every assumption.

Dashboard view What it shows Why orphans hide
Cost by tag Spend grouped by team or project Forgotten accounts have stale tags; resources aggregate to "untagged" or "unallocated"
Cost by business unit Roll-up to org chart The owning business unit no longer exists in the org chart; spend has nowhere to roll up
Account-level monthly Per-account totals Visible but requires manual filtering; small accounts get ignored
Cost anomaly alerts Sudden changes in spend Forgotten accounts have stable spend curves; no anomaly fires

The "untagged" and "unallocated" buckets are the tell. They contain real money but get scrolled past during cost reviews because the conversation is always about active teams. Until someone deliberately filters to "spend in accounts with no owner-tag," the shadow stays shadow.

The triage playbook

The cleanup is a one-time exercise. The structural fix (lifecycle policy) prevents the next round. Both are needed; do the cleanup first to free the budget, then ship the policy to keep it free.

Architecture diagram

1. Inventory unowned accounts. Run the AWS Organizations API for the full account list. Cross-reference against the owner-team tag. Anything missing the tag, or with a tag pointing to a team that no longer exists in HR, is a candidate.

2. CloudTrail lookup for original owner. The first IAM principal to provision resources in the account is usually the architect. Search CloudTrail for the earliest iam:CreateUser or ec2:RunInstances event. The principal email resolves to a team-of-record via your identity provider. Even if that engineer left, their team usually still exists.

3. Apply lifecycle:orphan tag. This is the lowest-risk first action. The tag declares the account orphaned without changing any resource state. It also gives the cost dashboard something to filter on so the spend stops hiding.

4. Attach Deny-all SCP. Use AWS Organizations Service Control Policies to prevent new resources from being created in tagged-orphan accounts. The SCP is reversible. Existing resources keep running until the per-account decision is made, but no new spend starts.

5. Per-account decision. Triage each account in 15 to 30 minutes once tooling is in place. List resources, check the top 3 cost drivers, contact the most plausible owner, decide.

Triage outcome When to choose Key risk
Archive (suspend the account) Most cases; preserves audit trail and rollback path Suspended accounts cost ~$0 but stay in your Organization
Adopt (new owner team takes over) Active workload found that someone still uses Owner accepts the budget and the operational responsibility
Delete (close the account) Confirmed nothing of value, no audit-retention need Closure is permanent after 90 days; cannot recover anything
Invoice the team Workload exists, owner found, payment dispute Sets expectation that team owns spend going forward

For 10 unowned accounts, total triage effort is 3 to 5 hours over 2 to 3 days. The ROI ratio is heavy: a few engineering hours against $30k to $80k per month in recovered spend.

The lifecycle policy that prevents the next round

The cleanup is a one-time saving. The lifecycle policy is the structural saving. Without policy, orphans regenerate at roughly 1 to 3 new accounts per quarter as teams reorg and projects end.

The policy has three rules. First, every AWS account in the Organization must have a OwnerTeam tag and a RenewalDate tag. Resources cannot be created in an account that lacks both, enforced by SCP. Second, on the renewal date each year, the platform team validates that the OwnerTeam still exists in HR and the team lead acknowledges renewal. Third, accounts that fail revalidation get auto-tagged lifecycle:orphan, which triggers the Deny-all SCP, which halts new spend within 24 hours.

Architecture diagram

The annual cron job is the low-effort win. It runs once a year per account, sends an email to the OwnerTeam asking for renewal, and auto-tags orphan if no acknowledgment lands within 14 days. Running this for the first time on an existing fleet finds the orphans you already have. Running it forward keeps the fleet clean.

Closing the loop

The whole pattern is a closed-loop FinOps instance. Detect: no-owner-tag at renewal. Decide: auto-tag orphan. Act: attach Deny-all SCP. Verify: no new resources created in the account for 30 days. Same shape as cost anomaly response and IAM remediation, just on an annual cadence instead of 5-minute.

This composes naturally with policy-aware AI cloud governance. The policy graph already knows which teams exist, which accounts they own, and which exceptions are valid. Adding "is this account orphan" is one more rule. The detection runs against the same governance state that powers the rest of the autonomous-cloud loop.

The shadow cloud spend is not a vendor problem or a tooling problem. It is an organizational lifecycle problem with a tooling-shaped fix. AWS Organizations + tag enforcement + annual revalidation + Deny SCPs are all native primitives. The structural cost saving is in the policy, not the cleanup, because the cleanup happens once and the policy holds the line every year after.