DB Cost Audit

Independent AWS database cost audit

Find the database savings your cost tool can't see.

Read-only, evidence-first audits across nine AWS database services. Every finding names the account, the resource, and the numbers behind it — and I walk your team through implementing each one, in the right order.

Read-only access 15-minute setup No agents installed Revoke by deleting one stack

One finding from the sample report (synthetic estate, real methodology). Every claim ships with its evidence.

§1 · Why this exists

Built after watching savings that could never materialize

I watched a widely used RI-management tool report a large “on-demand RDS cost” at a company running hundreds of AWS accounts. The number looked urgent — until you noticed it quietly included storage, backups, and I/O: charges that cannot be reserved at all. Finance was being shown reservation savings that were mathematically impossible.

That is what most dashboards do: superficial totals, percentage heuristics, and savings claims nobody sanity-checks. So I built the opposite: an auditor that computes reservation gaps on reservable compute only, sizes every right-sizing call on p95 of two months of hourly metrics, prices every claim from the live AWS Price List — and refuses to claim a saving it cannot verify. Numbers your finance team can take into a review.

§2 · The gap

What generic tools miss

The difference between a dashboard estimate and an audit finding.

Area Typical cost tool This audit
Reservations Counts storage, backup, and I/O as “reservable on-demand spend” — inflated savings Gap computed on reservable compute only, priced against live RI offering rates, upfront amortized
Right-sizing CPU averages over a week or two p95 of hourly maxima over 60 days, memory headroom verified, spike guard blocks unsafe downsizes
Coverage RDS and EC2-centric RDS/Aurora, ElastiCache, Redshift, OpenSearch, DynamoDB, DocumentDB, Neptune, MemoryDB, DMS — 45+ finding types
Hidden charges Invisible Extended Support surcharges, leftover DMS instances, unused DynamoDB indexes, orphaned snapshots, deprecated-service migration deadlines
Savings math Percentage heuristics Live AWS pricing APIs; if the rate cannot be verified, no saving is claimed
Outcome A dashboard you interpret alone Interactive report + personal walkthrough: what to implement, in what order, and how to do it safely

§3 · Coverage

What the audit covers

Findings are grouped into six focus areas. Each carries the account, resource, environment, evidence, confidence, and risk.

Commitments & Reservations

Exact reservation gaps per service, RI waste, expiring terms. Commitment savings are flagged as your decision: the audit shows the math, you know your roadmap.

Idle Resources & Scheduling

Instances idle every night in your business timezone, idle replicas, leftover migration infrastructure, unused indexes — verified over one to two months, never two weeks.

Right-Sizing

p95-based downsizing with spike guards and memory checks. Anything with a CPU spike gets a fix-first recommendation instead of a risky downsize.

Modernization

Graviton moves, previous-generation upgrades, Extended Support surcharge removal, Multi-AZ on non-production.

Storage & Backups

gp2→gp3, over-provisioned IOPS, snapshot hygiene, DynamoDB storage classes and PITR on non-production.

Consultative Reviews

Aurora I/O-Optimized economics, serverless candidates, commercial license reviews: evidence provided, judgment applied together.

RDS / AuroraElastiCacheRedshift OpenSearchDynamoDBDocumentDB NeptuneMemoryDBDMS TimestreamKeyspacesQLDB

§4 · Method

How it works

Fifteen minutes of your team's time. No agents, no write access, no software to install.

1

Deploy one read-only role

You deploy a short CloudFormation template — you can read every line: describe-only permissions, locked to my AWS account with an external ID. Delete the stack at any time and access is gone.

2

I scan, evidence-first

The scanner reads two months of CloudWatch metrics, inventory, reservations, and Cost Explorer data across every linked account in your organization.

3

Walkthrough & implementation plan

Within 48 hours you get the interactive report and a call: which findings to take, in what order, what each change involves, and where the risks are. I stay available while your team implements.

What the role can — and cannot — do

The template grants metadata and metrics access only. It cannot read the data inside your databases, and it cannot change anything.

allowed:   rds:Describe*        cloudwatch:GetMetricData
           dynamodb:Describe*   ce:GetCostAndUsage
           elasticache:Describe*   pricing:GetProducts   ...

never:     no Get/Select on table data · no Put · no Modify
           no Delete · no data-plane access of any kind

Every call the scanner makes is visible in your CloudTrail. Happy to walk your security team through the template line by line before you deploy it.

§5 · Deliverable

What you receive

A single self-contained interactive report — open it in a browser, filter it live, print it to PDF for finance — plus the full findings as machine-readable JSON.

  • Filter live by account, environment, confidence, or free text. Totals recompute as you narrow in
  • Top-10 opportunities up front; savings charts by category, focus area, and account
  • Every finding: account, resource, evidence numbers, recommendation, confidence, risk
  • Methodology under every table. Nothing is a black box
  • CSV export of any filtered view for your own tracking
Open the sample report

Free — no email required

The 8 checks before you reserve anything

Most reservation recommendations commit you to the wrong shape for a year. This one-page checklist is the exact pre-commitment sequence the audit follows: delete, schedule, right-size — then reserve.

Read the checklist

§6 · Guarantee

If the audit doesn't identify savings of at least 5× the fee, you don't pay.

Identified savings are the verified monthly figures in the report, annualized — computed from your live pricing, not estimates. That's how confident I am after auditing estates from a handful of instances to organization-wide footprints.

§7 · Engagements

Pricing

Flat fees, agreed up front. No percentage-of-savings games, no measurement disputes.

Free scan

$0

One account, full report, no strings. You keep the report either way.

  • Full 45+ check coverage on one account
  • 30-minute findings walkthrough
  • Read-only, revoke instantly
Request a free scan

Full estate audit

from $2,500 flat

Complete audit of your estate, from a single account to organization-wide. Fee scales with estate size, agreed up front.

  • All accounts, all nine database services
  • Interactive report + JSON + executive summary
  • Implementation walkthrough with your team
  • Backed by the 5× guarantee
Talk about your estate

Implementation & ongoing

custom

Most teams capture more with help executing.

  • Hands-on implementation of accepted findings
  • Quarterly re-scans as estates drift
  • Database architecture & migration consulting
Discuss a retainer

§8 · Questions

Answers your security team will ask for

What access does the scan actually need?

One IAM role, deployed from a CloudFormation template you can read in full before launching. It contains describe/list/read-metric permissions only — rds:Describe*, cloudwatch:GetMetricData, ce:GetCostAndUsage and similar. It is restricted to my AWS account ID and protected with an external ID. Deleting the stack revokes everything instantly.

Can you see the data inside our databases?

No. The role has no data-plane permissions: no queries, no table reads, no exports. The scan sees names, types, configuration, pricing, and utilization metrics — never row data. Every API call it makes is logged in your CloudTrail, so you can verify exactly that.

What happens to the collected metadata?

It is used to produce your report, delivered to you, and deleted on request after the engagement. The report itself is yours: a self-contained file that never phones home.

How much of our time does this take?

About 15 minutes to deploy the role, 30–60 minutes for the walkthrough call. The report lands within 48 hours of access. Your team implements at its own pace, with me available throughout.

Our estate is small — is this worth it?

Start with the free scan; it answers the question with your own numbers. The 5× guarantee protects the paid audit: if verified findings don't reach five times the fee, there is no fee.

We already run a cost tool. Why add an audit?

Keep it — the audit makes it better. Dashboards surface totals; the audit verifies which claims are real, finds what the tool doesn't model (Extended Support, orphaned DMS, unused indexes), and sequences everything so reservations are bought after deleting, scheduling, and right-sizing — not before.

Why flat fees instead of a percentage of savings?

Percentage pricing rewards inflated claims — the exact problem this audit exists to fix — and creates measurement disputes that outlive the engagement. A flat fee, agreed before work starts, keeps every number in the report honest.

§9 · Who's behind this

One engineer, every engagement

Arinjay Tippannavar — database and cloud engineer. I run production databases at scale for a living and built this auditor because the tooling I saw in the market reported savings that didn't survive contact with a finance review.

Every engagement is personal: I run the scan, I read every finding, and I sit with your team until the changes are implemented safely. No junior handoffs, no black-box SaaS.

arinjay.misc@gmail.com