CleanCloud v1.3.0 — 20 rules to find what's costing you money in AWS and Azure

[sureshcsdp]

If you’re one of the 200+ users who have downloaded CleanCloud, we’d love to hear what you found.

Please open an issue or leave a comment below.

Most cloud cost tools require write access, send data to SaaS platforms, and generate reports no one acts on.

CleanCloud is different: read-only, runs in your environment, and enforces hygiene as a CI/CD gate.

AWS Rules (10)

1. Unattached EBS Volumes — Volumes not attached to any instance
2. Old EBS Snapshots — Snapshots older than 90 days
3. Infinite Retention CloudWatch Logs — Log groups with no retention policy
4. Unattached Elastic IPs — IPs unattached for 30+ days
5. Detached Network Interfaces — ENIs detached for 60+ days
6. Untagged Resources — EBS volumes, S3 buckets, and log groups without tags
7. Old AMIs — Machine images older than 180 days
8. Idle NAT Gateways — ~$32/month each, often unused
9. Idle RDS Instances — Zero connections for 14+ days
10. Idle Load Balancers — Zero traffic for 14+ days

Azure Rules (10)

1. Unattached Managed Disks — Disks not attached to any VM
2. Old Snapshots — Snapshots older than 90 days
3. Unused Public IPs — IP addresses not associated with any resource
4. Empty Load Balancers — Load balancers with no backend pools
5. Empty Application Gateways — Gateways with no backend targets
6. Empty App Service Plans — Plans with no hosted apps
7. Idle VNet Gateways — Virtual network gateways with no traffic
8. Stopped (Not Deallocated) VMs — Still incurring full compute charges
9. Idle SQL Databases — Zero connections for 14+ days
10. Untagged Resources — Critical resources without proper tagging

What You Get With Every Finding

• Confidence level — HIGH / MEDIUM based on evidence strength
• Evidence and signals — Clear reasoning for each detection
• Resource details — Name, ID, region, age, and estimated cost impact

Enforce in CI/CD

cleancloud scan --provider aws --all-regions --fail-on-confidence HIGH

• Exit 0 = pass
• Exit 2 = policy violation
• No write access
• No telemetry
• No SaaS

Get Started in 2 Minutes

pip install cleancloud
cleancloud scan

GitHub: https://github.com/cleancloud-io/cleancloud

---

Tags: #CloudCost #FinOps #AWS #Azure #DevOps #SRE #CICD #CloudSecurity #OpenSource #PlatformEngineering

[lysacor]

I will make a comment here first before I raise the bug.

I ran it against my environment in Azure and while it appears to detect app service plans, it is not actually detecting the number of apps/slots/sites on the plan. So even presenting it with low confidence seems like noise in the output without that context.

I have multiple instances where this is the case. I will see about providing sanitized examples soon.

[sureshcsdp]

Hi @lysacor
Please use the latest v1.6.3 version.
I would really appreciate if you could raise an issue and share the doctor and scan command results.
I really appreciate you trying this
Many Thanks
CleanCloud admin

[lysacor]

Will do!

[sureshcsdp]

Hi @lysacor - we've fixed the payment plan noise in the latest release (v1.7.1).
Whenever you get a chance, feel free to check and let me know if you’re still seeing any issues.
If anything else comes up, it would be great if you could open a new issue and attach any waste reports in the Discussions tab as well.

Thanks again for reporting this and helping improve the project!