These rules identify EBS volumes using outdated volume types, unattached volumes, volumes attached to stopped instances, oversized volumes, IOPS and throughput over-provisioning on gp3 and io1/io2 volumes, and stale snapshots.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-EBS-1 | Discovery and IaC | EBS Volume Type Not Current Generation |
| CLDBRN-AWS-EBS-2 | Discovery | EBS Volume Unattached |
| CLDBRN-AWS-EBS-3 | Discovery | EBS Volume Attached To Stopped Instances |
| CLDBRN-AWS-EBS-4 | Discovery and IaC | EBS Volume Large Size |
| CLDBRN-AWS-EBS-5 | Discovery and IaC | EBS Volume High Provisioned IOPS |
| CLDBRN-AWS-EBS-6 | Discovery and IaC | EBS Volume Low Provisioned IOPS On io1/io2 |
| CLDBRN-AWS-EBS-7 | Discovery | EBS Snapshot Max Age Exceeded |
| CLDBRN-AWS-EBS-8 | IaC | EBS gp3 Volume Extra Throughput Provisioned |
| CLDBRN-AWS-EBS-9 | IaC | EBS gp3 Volume Extra IOPS Provisioned |
CLDBRN-AWS-EBS-1
EBS Volume Type Not Current Generation
Scan type: Discovery and IaC
What it checks
Flags EBS volumes using first- or second-generation volume types: gp2, io1, or standard. Current-generation equivalents offer better performance at equal or lower cost.
Why it matters
gp3is 20% cheaper thangp2at baseline ($0.08/GB vs $0.10/GB) and allows independent IOPS/throughput tuning without extra costio2offers higher durability (99.999%) thanio1at the same pricestandard(magnetic) is the oldest type and has no cost or performance advantage overgp3
What triggers a finding
Volume type is gp2, io1, or standard.
How to remediate
gp2→ migrate togp3. You can modify volumes in-place with no downtime.io1→ migrate toio2. Same in-place modification, same pricing.standard→ migrate togp3.
aws ec2 modify-volume --volume-id vol-0abc123 --volume-type gp3
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ebs_volume |
| CloudFormation | AWS::EC2::Volume |
CLDBRN-AWS-EBS-2
EBS Volume Unattached
Scan type: Discovery
What it checks
Flags EBS volumes that are not attached to any EC2 instance. Unattached volumes have no running workload consuming them but continue to incur storage charges.
Why it matters
EBS volumes are billed by provisioned storage regardless of whether they are attached or actively used. An unattached 1 TB gp3 volume costs $80/month while providing no value.
What triggers a finding
The volume has no attachments (empty attachments list).
How to remediate
- Verify the volume is not needed (check for recent snapshots, tags indicating ownership)
- Create a final snapshot if you want to preserve the data
- Delete the volume
# Optional: snapshot before deleting
aws ec2 create-snapshot --volume-id vol-0abc123 --description "final backup before delete"
# Delete the volume
aws ec2 delete-volume --volume-id vol-0abc123
CLDBRN-AWS-EBS-3
EBS Volume Attached To Stopped Instances
Scan type: Discovery
What it checks
Flags EBS volumes where every attached EC2 instance is in the stopped state. The volume is provisioned and billed but no running workload is using it.
Why it matters
A stopped EC2 instance does not incur compute charges, but its attached EBS volumes continue to incur storage charges. Long-stopped instances accumulate weeks or months of EBS cost that could be eliminated if the instance is truly no longer needed.
What triggers a finding
The volume has one or more attachments AND all attached instances are in the stopped state. Volumes are skipped if any attached instance's state could not be determined.
How to remediate
- Determine whether the stopped instance will be restarted. If yes, no action needed.
- If the instance is permanently stopped, snapshot the volume, then delete both the instance and volume.
- Consider whether the workload should be migrated to Lambda, containers, or another managed service that doesn't require persistent block storage.
CLDBRN-AWS-EBS-4
EBS Volume Large Size
Scan type: Discovery and IaC
What it checks
Flags EBS volumes larger than 100 GiB. Large volumes carry proportionally higher storage costs and are worth reviewing to confirm the provisioned size matches actual usage.
Why it matters
EBS charges per GB provisioned. A 500 GiB gp3 volume costs $40/month whether you use 10 GiB or all 500. Over-provisioned volumes are common when teams round up during initial setup and never revisit the allocation.
What triggers a finding
sizeGiB is greater than 100.
How to remediate
- Check actual disk usage on the attached instance (e.g.
df -hon Linux) - If usage is well below the provisioned size, create a smaller replacement volume, copy the data, and swap the attachment
- For volumes backing databases, check the DB's data directory size rather than the filesystem total
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ebs_volume |
| CloudFormation | AWS::EC2::Volume |
CLDBRN-AWS-EBS-5
EBS Volume High Provisioned IOPS
Scan type: Discovery and IaC
What it checks
Flags io1 and io2 EBS volumes provisioned above 32,000 IOPS. At this level, IOPS charges dominate the volume cost and small reductions can save hundreds per month.
Why it matters
io1/io2 IOPS are billed at $0.065 per provisioned IOPS-month. A volume at 64,000 IOPS costs ~$4,160/month in IOPS charges alone. If actual IOPS usage is well below the provisioned amount, you're paying for headroom you don't need. CloudWatch VolumeReadOps and VolumeWriteOps metrics show whether the provisioned level is justified.
What triggers a finding
Volume type is io1 or io2 AND iops is greater than 32,000.
How to remediate
- Review CloudWatch IOPS metrics for the past 30 days to find peak usage
- Reduce provisioned IOPS to match peak + a reasonable buffer:
aws ec2 modify-volume --volume-id vol-0abc123 --iops 20000
- If peak IOPS consistently stays below 16,000, consider migrating to gp3 instead (see EBS-6)
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ebs_volume |
| CloudFormation | AWS::EC2::Volume |
CLDBRN-AWS-EBS-6
EBS Volume Low Provisioned IOPS On io1/io2
Scan type: Discovery and IaC
What it checks
Flags io1 and io2 EBS volumes provisioned at 16,000 IOPS or below. At this IOPS level, gp3 can deliver the same performance at a fraction of the cost since gp3 includes 3,000 IOPS free and charges only $0.005 per additional IOPS.
Why it matters
gp3 at 16,000 IOPS costs ~$65/month in IOPS charges plus $0.08/GiB for storage. An io2 volume at 16,000 IOPS costs ~$1,040/month in IOPS alone. For workloads that don't need the higher durability guarantee of io2 (99.999% vs gp3's 99.8%), switching to gp3 can cut the volume cost by over 90%.
What triggers a finding
Volume type is io1 or io2 AND iops is 16,000 or below.
How to remediate
Migrate the volume to gp3 with the same IOPS provisioning:
aws ec2 modify-volume --volume-id vol-0abc123 --volume-type gp3 --iops 16000
gp3 supports up to 16,000 IOPS and 1,000 MiB/s throughput. If your workload needs io2's multi-attach or higher durability, keep io2 but note the cost tradeoff.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ebs_volume |
| CloudFormation | AWS::EC2::Volume |
CLDBRN-AWS-EBS-7
EBS Snapshot Max Age Exceeded
Scan type: Discovery
What it checks
Flags completed EBS snapshots older than 90 days. Old snapshots accumulate storage charges and often outlive the volumes or instances they were created from.
Why it matters
EBS snapshots are charged at $0.05/GB-month for the data stored. A 500 GiB snapshot costs ~$25/month. Teams that create snapshots before maintenance windows or deployments but never clean them up can accumulate thousands of dollars in snapshot storage over time.
What triggers a finding
Snapshot state is completed AND startTime is more than 90 days ago.
How to remediate
- Review whether the snapshot is still needed (check if the source volume exists, whether there's a more recent snapshot)
- Delete unneeded snapshots:
aws ec2 delete-snapshot --snapshot-id snap-0abc1234def56789
- For ongoing management, use Amazon Data Lifecycle Manager (DLM) to automate snapshot creation and retention so old snapshots are cleaned up automatically
CLDBRN-AWS-EBS-8
EBS gp3 Volume Extra Throughput Provisioned
Scan type: IaC
What it checks
Flags gp3 volumes that provision throughput above the included 125 MiB/s baseline. Every MiB/s above 125 costs $0.04/month, adding up quickly for volumes that may not need the extra throughput.
Why it matters
gp3 volumes include 125 MiB/s throughput at no extra charge. Provisioning above this baseline adds $0.04 per MiB/s-month. A volume set to 1,000 MiB/s pays an extra $35/month in throughput charges. Unless the workload demands sustained sequential reads or writes above 125 MiB/s, the default baseline is sufficient.
What triggers a finding
volumeType is gp3 AND throughputMiBps is greater than 125.
How to remediate
Review the workload's actual throughput needs using CloudWatch VolumeThroughputPercentage. If the volume rarely saturates the baseline 125 MiB/s, remove the extra throughput provisioning in your IaC template.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ebs_volume |
| CloudFormation | AWS::EC2::Volume |
CLDBRN-AWS-EBS-9
EBS gp3 Volume Extra IOPS Provisioned
Scan type: IaC
What it checks
Flags gp3 volumes that provision IOPS above the included 3,000 baseline. Each additional IOPS costs $0.005/month.
Why it matters
gp3 volumes include 3,000 IOPS at no extra charge. Provisioning above this adds $0.005 per IOPS-month. A volume set to 10,000 IOPS pays an extra $35/month. Many workloads never exceed the 3,000 IOPS baseline, making the extra provisioning pure waste.
What triggers a finding
volumeType is gp3 AND iops is greater than 3,000.
How to remediate
Check CloudWatch VolumeReadOps and VolumeWriteOps to see actual IOPS usage. If the workload stays below 3,000 IOPS, remove the extra provisioning from your IaC template.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_ebs_volume |
| CloudFormation | AWS::EC2::Volume |
See Also
- CLI discover command — scan live EBS volumes
- CLI scan command — scan IaC templates for EBS issues
- SDK Reference — run scans programmatically