Stopped EC2 instances (cost)

AWS-EC2-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for EC2 instances in stopped state. EBS volumes attached to stopped instances still incur charges.

Why it matters

Stopped EC2 instances still incur charges for attached EBS volumes, Elastic IP addresses, and any associated EBS snapshots. A single stopped m5.xlarge with 500GB gp3 storage costs approximately $40/month in EBS charges alone. Across an organization with hundreds of forgotten instances, this waste adds up to thousands of dollars monthly. AWS Cost Explorer data shows that stopped instances account for 5-8% of typical enterprise EC2 spending. If the instance is needed later, create an AMI (which stores only the snapshot) and terminate the instance - you can relaunch from the AMI anytime. For temporary workloads, consider using instance stop protection with scheduled termination instead.

Common causes

Instances are stopped instead of terminated because engineers want to preserve the instance configuration for potential future use. Development and testing instances are stopped at the end of the day or sprint but never cleaned up because no one confirms they are no longer needed. Terminated instances lose their instance store data and EBS root volumes (if delete-on-termination is true), so teams stop instances as a safer alternative without considering AMI backups.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create an AMI backup first:
aws ec2 create-image --instance-id INSTANCE_ID --name 'backup' --region REGION
# Then terminate:
aws ec2 terminate-instances --instance-ids INSTANCE_ID --region REGION

Remediation: Terraform

# Remove the aws_instance resource from your Terraform config
# and run terraform apply, or set count = 0.