I created a tool called **OpsCurb** that aims to simplify AWS cost reviews by making them less manual. Finding wasted resources across an AWS account usually involves navigating multiple services like Cost Explorer, EC2, RDS, VPC, and CloudWatch, which can be tedious. OpsCurb connects using a read-only IAM role to identify idle resources, outdated snapshots, and other spending patterns worth considering. For example, it caught a NAT Gateway I forgot to delete after dismantling a test VPC. I'm looking for technical feedback on this tool, specifically regarding:
- The reasonableness of the access model
- Any AWS resources or cost indicators that should be included
- What might cause someone to dismiss this tool immediately
If anyone's interested, feel free to check it out at [opscurb.com](http://opscurb.com).
2 Answers
Honestly, I think a standard read-only role can be pretty permissive, especially with access to data in services like S3 and DynamoDB. If a company asks for this kind of role, it raises red flags about their commitment to security and privacy. I’d recommend implementing a fine-grained policy to limit access to just the read actions your tool needs.
Just a honest question—how much of this tool was developed using AI coding assistants?
About 40% of it was AI-assisted. But I think the bigger concern is if the security-sensitive components stand up to scrutiny, which is where feedback like yours is really helpful!
I hear you! While our role is read-only, sometimes 'read-only' doesn't mean 'minimally scoped.' We did start with broader access to cover all necessary cost findings, but I’m planning to tighten it up. What permissions do you think are unnecessary?