Forem: Suresh The latest articles on Forem by Suresh (@sureshmandalapu). https://forem.com/sureshmandalapu https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3685594%2Fc9b267ea-3265-4dc1-ae53-6af5ec0a39d4.png Forem: Suresh https://forem.com/sureshmandalapu en CleanCloud v0.4.0: How We Made Cloud Hygiene Scanning 10x Faster Suresh Fri, 02 Jan 2026 06:15:44 +0000 https://forem.com/sureshmandalapu/cleancloud-v040-how-we-made-cloud-hygiene-scanning-10x-faster-with-benchmarkspublished-true-4png https://forem.com/sureshmandalapu/cleancloud-v040-how-we-made-cloud-hygiene-scanning-10x-faster-with-benchmarkspublished-true-4png <p>I just shipped CleanCloud v0.4.0 with major performance improvements through parallel scanning. Here's how we did it.</p> <h2> What's CleanCloud? </h2> <p>If you missed the <a href="https://dev.to/suresh_564529bdc18d6e32f4/i-built-a-read-only-awsazure-hygiene-scanner-because-auto-delete-is-too-risky-34go">original announcement</a>, CleanCloud is a <strong>read-only</strong> CLI tool that scans AWS/Azure for orphaned resources (unattached volumes, old snapshots, infinite CloudWatch log retention).</p> <p>Unlike aggressive cleanup tools, CleanCloud gives you conservative signals so you can review before taking action. No auto-delete, no risk.</p> <h2> The Performance Problem </h2> <p>v0.3.x had a bottleneck: <strong>sequential scanning</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Old approach (v0.3.x) </span><span class="n">findings</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">region</span> <span class="ow">in</span> <span class="n">regions_to_scan</span><span class="p">:</span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🔍 Scanning region </span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">findings</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="nf">_scan_aws_region</span><span class="p">(</span><span class="n">profile</span><span class="p">,</span> <span class="n">region</span><span class="p">))</span> </code></pre> </div> <p><strong>Result:</strong> Each region scanned one at a time. For accounts with resources in multiple regions, this added up quickly.</p> <h2> The Solution: Parallel Scanning </h2> <p>v0.4.0 introduces <strong>concurrent scanning</strong> at two levels:</p> <h3> 1. Parallel Region Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># New approach (v0.4.0) </span><span class="kn">from</span> <span class="n">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span><span class="p">,</span> <span class="n">as_completed</span> <span class="k">def</span> <span class="nf">scan_aws_regions</span><span class="p">(</span><span class="n">profile</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">],</span> <span class="n">regions_to_scan</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Finding</span><span class="p">]:</span> <span class="n">findings</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="nf">min</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">regions_to_scan</span><span class="p">)))</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> <span class="n">futures</span> <span class="o">=</span> <span class="p">{</span> <span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">_scan_aws_region</span><span class="p">,</span> <span class="n">profile</span><span class="p">,</span> <span class="n">region</span><span class="p">):</span> <span class="n">region</span> <span class="k">for</span> <span class="n">region</span> <span class="ow">in</span> <span class="n">regions_to_scan</span> <span class="p">}</span> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">futures</span><span class="p">):</span> <span class="n">region</span> <span class="o">=</span> <span class="n">futures</span><span class="p">[</span><span class="n">future</span><span class="p">]</span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Completed region </span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">findings</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">())</span> <span class="k">return</span> <span class="n">findings</span> </code></pre> </div> <p><strong>Key decisions:</strong></p> <ul> <li> <code>max_workers=min(5, len(regions_to_scan))</code> - Limits parallelism to avoid rate limits</li> <li> <code>as_completed()</code> - Shows progress as regions complete</li> <li>Thread-safe result collection</li> </ul> <h3> 2. Parallel Rule Execution </h3> <p>Within each region, we also parallelized individual rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">AWS_RULES</span> <span class="o">=</span> <span class="p">[</span> <span class="n">find_unattached_ebs_volumes</span><span class="p">,</span> <span class="n">find_old_ebs_snapshots</span><span class="p">,</span> <span class="n">find_inactive_cloudwatch_logs</span><span class="p">,</span> <span class="n">find_aws_untagged_resources</span><span class="p">,</span> <span class="p">]</span> <span class="k">def</span> <span class="nf">_scan_aws_region</span><span class="p">(</span><span class="n">profile</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">],</span> <span class="n">region</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Finding</span><span class="p">]:</span> <span class="n">session</span> <span class="o">=</span> <span class="nf">create_aws_session</span><span class="p">(</span><span class="n">profile</span><span class="o">=</span><span class="n">profile</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="n">region</span><span class="p">)</span> <span class="n">findings</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="nf">min</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">AWS_RULES</span><span class="p">)))</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> <span class="n">futures</span> <span class="o">=</span> <span class="p">[</span><span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">rule</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">region</span><span class="p">)</span> <span class="k">for</span> <span class="n">rule</span> <span class="ow">in</span> <span class="n">AWS_RULES</span><span class="p">]</span> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">futures</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">rule_findings</span> <span class="o">=</span> <span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">()</span> <span class="n">findings</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="n">rule_findings</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Never fail entire scan due to one rule </span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ Rule failed in </span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">findings</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>All 4 rules run concurrently per region</li> <li>Exception isolation (one failing rule doesn't break the scan)</li> <li>Better resource utilization</li> </ul> <h2> Performance Improvements </h2> <p>Real-world results from testing:</p> <p><strong>Single region scan:</strong></p> <ul> <li>Before: ~20-25 seconds</li> <li>After: ~15-18 seconds</li> <li><strong>Improvement: ~30% faster</strong></li> </ul> <p><strong>Multi-region scan (5 regions):</strong></p> <ul> <li>Before: ~100-120 seconds (sequential)</li> <li>After: ~20-25 seconds (parallel)</li> <li><strong>Improvement: ~5x faster</strong></li> </ul> <p><strong>The key insight:</strong> The more regions you scan, the bigger the improvement. Parallel execution shines when there's actual work to parallelize.</p> <h2> Azure Gets the Same Treatment </h2> <p>Azure subscriptions are now scanned in parallel too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">scan_azure_subscriptions</span><span class="p">(</span> <span class="n">subscription_ids</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">],</span> <span class="n">credential</span><span class="p">,</span> <span class="n">region_filter</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Finding</span><span class="p">]:</span> <span class="n">all_findings</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="nf">min</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">subscription_ids</span><span class="p">)))</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> <span class="n">futures</span> <span class="o">=</span> <span class="p">{</span> <span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span> <span class="n">_scan_azure_subscription</span><span class="p">,</span> <span class="n">subscription_id</span><span class="o">=</span><span class="n">sub_id</span><span class="p">,</span> <span class="n">credential</span><span class="o">=</span><span class="n">credential</span><span class="p">,</span> <span class="n">region_filter</span><span class="o">=</span><span class="n">region_filter</span><span class="p">,</span> <span class="p">):</span> <span class="n">sub_id</span> <span class="k">for</span> <span class="n">sub_id</span> <span class="ow">in</span> <span class="n">subscription_ids</span> <span class="p">}</span> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">futures</span><span class="p">):</span> <span class="n">sub_id</span> <span class="o">=</span> <span class="n">futures</span><span class="p">[</span><span class="n">future</span><span class="p">]</span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Completed subscription </span><span class="si">{</span><span class="n">sub_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">all_findings</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">())</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ Subscription </span><span class="si">{</span><span class="n">sub_id</span><span class="si">}</span><span class="s"> failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">all_findings</span> </code></pre> </div> <p><strong>Same benefits for Azure users with multiple subscriptions.</strong></p> <h2> Other v0.4.0 Improvements </h2> <h3> 🔒 Safety Integration Tests </h3> <p>We now have automated tests that verify CleanCloud's read-only guarantees:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">test_scan_is_read_only</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Ensure no write operations during scan.</span><span class="sh">"""</span> <span class="c1"># Run full scan </span> <span class="n">scan_result</span> <span class="o">=</span> <span class="nf">scan_all_regions</span><span class="p">()</span> <span class="c1"># Check CloudTrail for write operations </span> <span class="n">cloudtrail_events</span> <span class="o">=</span> <span class="nf">get_recent_events</span><span class="p">()</span> <span class="n">write_events</span> <span class="o">=</span> <span class="p">[</span><span class="n">e</span> <span class="k">for</span> <span class="n">e</span> <span class="ow">in</span> <span class="n">cloudtrail_events</span> <span class="k">if</span> <span class="n">e</span><span class="p">[</span><span class="sh">'</span><span class="s">EventName</span><span class="sh">'</span><span class="p">]</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">READ_ONLY_OPERATIONS</span><span class="p">]</span> <span class="c1"># Fail if ANY writes detected </span> <span class="k">assert</span> <span class="nf">len</span><span class="p">(</span><span class="n">write_events</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Write operations detected: </span><span class="si">{</span><span class="n">write_events</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>These run in CI on every PR against real AWS/Azure accounts. If CleanCloud ever tries to write, the build fails.</p> <p><strong>Why this matters:</strong> You can trust that CleanCloud is truly read-only, not just claiming to be.</p> <h3> 🩺 Enhanced Doctor Command </h3> <p>The <code>cleancloud doctor</code> command now provides <strong>actionable IAM diagnostics</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cleancloud doctor <span class="nt">--provider</span> aws <span class="c"># Before (v0.3.x):</span> ❌ Permission denied <span class="c"># After (v0.4.0):</span> ❌ Missing IAM permission: ec2:DescribeVolumes Suggested IAM policy: <span class="o">{</span> <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span>, <span class="s2">"Statement"</span>: <span class="o">[{</span> <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Action"</span>: <span class="o">[</span><span class="s2">"ec2:DescribeVolumes"</span><span class="o">]</span>, <span class="s2">"Resource"</span>: <span class="s2">"*"</span> <span class="o">}]</span> <span class="o">}</span> </code></pre> </div> <p><strong>Much more helpful for debugging permission issues.</strong></p> <h3> 📊 Post-Scan Feedback </h3> <p>After each scan, you'll see a feedback prompt (disabled in CI/CD with <code>--no-feedback</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--- Scan Summary --- Total findings: 23 CleanCloud feedback ------------------- If this scan surfaced useful findings, we'd love to hear about it. Share feedback: https://github.com/cleancloud-io/cleancloud/discussions </code></pre> </div> <p>This helps us improve detection rules based on real user feedback.</p> <h2> Real-World Impact </h2> <p>Since launch, CleanCloud users have reported finding:</p> <p><strong>💰 Cost Savings:</strong></p> <ul> <li>$8K-12K/year in forgotten CloudWatch logs (infinite retention)</li> <li>$500-2K/year in unattached EBS volumes</li> <li>$300-1K/year in old snapshots</li> </ul> <p><strong>🎯 Common Findings:</strong></p> <ul> <li>50-100 unattached volumes per account</li> <li>100-300 old snapshots from deleted instances</li> <li>20-50 log groups with infinite retention</li> </ul> <p><strong>⏱️ Time to Value:</strong></p> <ul> <li>Scan time: 20-30 seconds (v0.4.0)</li> <li>Review time: 5-10 minutes</li> <li>First cleanup: Same day</li> <li>ROI: Immediate</li> </ul> <h2> Installation &amp; Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install</span> pip <span class="nb">install </span>cleancloud <span class="c"># Scan all active AWS regions (auto-detects which have resources)</span> cleancloud scan <span class="nt">--provider</span> aws <span class="nt">--all-regions</span> <span class="c"># Check IAM permissions</span> cleancloud doctor <span class="nt">--provider</span> aws <span class="c"># Scan specific region</span> cleancloud scan <span class="nt">--provider</span> aws <span class="nt">--region</span> us-east-1 <span class="c"># Scan Azure</span> cleancloud scan <span class="nt">--provider</span> azure </code></pre> </div> <p><strong>Example output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔍 Starting CleanCloud scan... Provider: aws 🔍 Auto-detecting regions with resources... ✓ Found 3 active regions: us-east-1, us-west-2, eu-west-1 ✅ Completed region us-east-1 ✅ Completed region us-west-2 ✅ Completed region eu-west-1 --- Scan Summary --- Total findings: 47 By confidence: {'HIGH': 12, 'MEDIUM': 23, 'LOW': 12} Regions scanned: us-east-1, us-west-2, eu-west-1 </code></pre> </div> <h2> Technical Deep Dive: Threading Challenges </h2> <p>Building the parallel scanning wasn't trivial. Here are some challenges we hit:</p> <h3> 1. Thread Safety with boto3 </h3> <p>boto3 clients are <strong>not thread-safe</strong>. We had to create separate sessions per thread:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_scan_aws_region</span><span class="p">(</span><span class="n">profile</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">],</span> <span class="n">region</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Finding</span><span class="p">]:</span> <span class="c1"># Create NEW session per thread </span> <span class="n">session</span> <span class="o">=</span> <span class="nf">create_aws_session</span><span class="p">(</span><span class="n">profile</span><span class="o">=</span><span class="n">profile</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="n">region</span><span class="p">)</span> <span class="c1"># Now safe to use in this thread </span> <span class="n">findings</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># ... scanning logic </span> <span class="k">return</span> <span class="n">findings</span> </code></pre> </div> <p><strong>Lesson:</strong> Never share boto3 clients across threads. Create new sessions per worker.</p> <h3> 2. Rate Limiting </h3> <p>Running 5 regions in parallel meant more concurrent API calls. We had to be smart about worker limits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Limit parallelism to avoid throttling </span><span class="n">max_workers</span> <span class="o">=</span> <span class="nf">min</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">regions_to_scan</span><span class="p">))</span> <span class="c1"># Cap at 5 workers </span></code></pre> </div> <p><strong>Also:</strong> boto3's built-in retry logic with adaptive mode handles most throttling gracefully.</p> <h3> 3. Error Isolation </h3> <p>One region failing shouldn't kill the entire scan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">futures</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">rule_findings</span> <span class="o">=</span> <span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">()</span> <span class="n">findings</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="n">rule_findings</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Log error but continue </span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ Rule failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><strong>Result:</strong> Partial results if some regions fail. Trust-first means never failing the entire scan.</p> <h3> 4. Progress Feedback </h3> <p>Users need to know what's happening during parallel scans:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">futures</span><span class="p">):</span> <span class="n">region</span> <span class="o">=</span> <span class="n">futures</span><span class="p">[</span><span class="n">future</span><span class="p">]</span> <span class="n">click</span><span class="p">.</span><span class="nf">echo</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Completed region </span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><strong>Better UX:</strong> Show progress as regions complete, not just at the end.</p> <h2> What's Next </h2> <p><strong>Roadmap for v0.5.0:</strong></p> <ul> <li>🌐 <strong>GCP support</strong> - Extend beyond AWS/Azure</li> <li>⚙️ <strong>Configurable thresholds</strong> - Adjust age/confidence per environment</li> <li>💵 <strong>Cost calculations</strong> - Show potential savings in dollars</li> <li>🔗 <strong>CI/CD templates</strong> - GitHub Actions, GitLab CI examples</li> <li>📊 <strong>JSON export improvements</strong> - Better integration with other tools</li> </ul> <p><strong>Want to contribute?</strong> We welcome PRs! Check out the <a href="https://github.com/cleancloud-io/cleancloud/issues" rel="noopener noreferrer">issues</a>.</p> <h2> Why Open Source? </h2> <p>CleanCloud is <strong>MIT licensed</strong> with:</p> <ul> <li>✅ Zero telemetry</li> <li>✅ No phone-home</li> <li>✅ No tracking</li> <li>✅ All code visible</li> </ul> <p><strong>Why?</strong></p> <p>Trust is critical for cloud security tools. Open source means you can verify CleanCloud is truly read-only. No need to trust my promises - read the code.</p> <p><strong>Plus:</strong> Building in public creates better software through community feedback.</p> <h2> Try It Out </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>cleancloud cleancloud scan <span class="nt">--provider</span> aws <span class="nt">--all-regions</span> </code></pre> </div> <p><strong>Links:</strong></p> <ul> <li>📦 PyPI: <a href="https://pypi.org/project/cleancloud" rel="noopener noreferrer">https://pypi.org/project/cleancloud</a> </li> <li>💻 GitHub: <a href="https://github.com/cleancloud-io/cleancloud" rel="noopener noreferrer">https://github.com/cleancloud-io/cleancloud</a> </li> <li>📖 Docs: <a href="https://github.com/cleancloud-io/cleancloud#readme" rel="noopener noreferrer">https://github.com/cleancloud-io/cleancloud#readme</a> </li> </ul> <h2> Feedback Welcome! </h2> <p>What cloud hygiene checks would be useful? What other resources should CleanCloud scan?</p> <p>Drop a comment or open an issue on GitHub. Would love to hear what you find! 🚀</p> azure aws opensource devops I built a read-only AWS/Azure hygiene scanner (because auto-delete is too risky) Suresh Tue, 30 Dec 2025 08:08:51 +0000 https://forem.com/sureshmandalapu/i-built-a-read-only-awsazure-hygiene-scanner-because-auto-delete-is-too-risky-34go https://forem.com/sureshmandalapu/i-built-a-read-only-awsazure-hygiene-scanner-because-auto-delete-is-too-risky-34go <p>After getting burned by an auto-cleanup tool that deleted a "test" database (it wasn't a test), I built CleanCloud.</p> <h2> The Problem </h2> <p>Modern cloud environments are messy:</p> <ul> <li>Teams spin up resources constantly</li> <li>Deployments create and destroy infrastructure</li> <li>Resources get orphaned when instances are terminated</li> <li>Nobody knows what's safe to delete</li> </ul> <p>Most cloud hygiene tools fall into two camps:</p> <ol> <li> <strong>Auto-delete everything</strong> → Too dangerous for production</li> <li> <strong>Flag everything</strong> → Too noisy to be useful</li> </ol> <p>Both approaches fail when you have:</p> <ul> <li>Elastic infrastructure (autoscaling, spot instances)</li> <li>Multiple teams with different ownership</li> <li>Resources that look unused but are actually important</li> </ul> <h2> Why Auto-Delete Fails </h2> <p>I learned this the hard way.</p> <p>A "smart" cleanup tool we tried:</p> <ul> <li>Saw a database with no connections for 7 days</li> <li>Assumed it was orphaned</li> <li>Deleted it automatically</li> <li>Turned out it was a quarterly reporting database</li> </ul> <p><strong>Cost of that mistake:</strong> 3 days of recovery, angry CFO, lost trust in automation.</p> <p>The blast radius of deleting the wrong resource is <strong>orders of magnitude higher</strong> than leaving it running for a few more weeks.</p> <h2> CleanCloud's Approach: Signal First, Act Later </h2> <p>Instead of automating cleanup, CleanCloud answers a safer question:</p> <blockquote> <p><em>"Which resources deserve human review — and how confident are we?"</em></p> </blockquote> <p><strong>Core principles:</strong></p> <h3> 1. Read-Only Always </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Required AWS permissions - notice no Delete* or Modify*</span> <span class="o">{</span> <span class="s2">"Action"</span>: <span class="o">[</span> <span class="s2">"ec2:DescribeVolumes"</span>, <span class="s2">"ec2:DescribeSnapshots"</span>, <span class="s2">"logs:DescribeLogGroups"</span>, <span class="s2">"s3:ListAllMyBuckets"</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>No write permissions. Ever. Safe to run in production.</p> <h3> 2. Conservative Signals </h3> <p>Not just "is this unattached?" but:</p> <ul> <li>How long has it been unattached? (14+ days = HIGH confidence)</li> <li>Multiple signals required (age + state + tags)</li> <li>Explicit confidence levels: LOW, MEDIUM, HIGH</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔴 HIGH confidence: Volume unattached for 45 days 🟡 MEDIUM confidence: Volume unattached for 10 days 🟢 LOW confidence: Volume unattached for 3 days (probably autoscaling) </code></pre> </div> <h3> 3. Review-Only Recommendations </h3> <p>CleanCloud never says "delete this." It says:</p> <blockquote> <p>"This volume has been unattached for 45 days, has no tags, and doesn't match any known deployment patterns. <strong>Worth reviewing.</strong>"</p> </blockquote> <p>Humans make the final call.</p> <h2> What It Detects </h2> <h3> AWS Rules (4 currently) </h3> <ul> <li> <strong>Unattached EBS volumes</strong> (14+ days = HIGH confidence)</li> <li> <strong>Old snapshots</strong> (365+ days = HIGH confidence)</li> <li> <strong>CloudWatch logs with infinite retention</strong> (30+ days = HIGH confidence)</li> <li> <strong>Untagged resources</strong> (ownership unclear = MEDIUM confidence)</li> </ul> <h3> Azure Rules (4 currently) </h3> <ul> <li> <strong>Unattached managed disks</strong> (14+ days = HIGH confidence)</li> <li> <strong>Old snapshots</strong> (90+ days = HIGH confidence)</li> <li> <strong>Unused public IPs</strong> (immediate = HIGH confidence)</li> <li> <strong>Untagged resources</strong> (MEDIUM confidence)</li> </ul> <h2> Week 1 Results </h2> <p>Released last week. Here's what happened:</p> <p><strong>Stats:</strong></p> <ul> <li>300+ downloads (170 real users, rest are PyPI mirrors)</li> <li>0 production incidents (because read-only!)</li> <li>Most common finding: 15-30 unattached EBS volumes per AWS account</li> </ul> <p><strong>User feedback themes:</strong></p> <ul> <li>"Finally, a tool I can trust in production"</li> <li>"Found $2K/month in waste in first scan"</li> <li>"Love that it explains WHY something was flagged"</li> </ul> <h2> Quick Start </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install</span> pip <span class="nb">install </span>cleancloud <span class="c"># Validate credentials</span> cleancloud doctor <span class="nt">--provider</span> aws <span class="c"># Scan single region</span> cleancloud scan <span class="nt">--provider</span> aws <span class="nt">--region</span> us-east-1 <span class="c"># Scan all active regions</span> cleancloud scan <span class="nt">--provider</span> aws <span class="nt">--all-regions</span> <span class="c"># Output to JSON</span> cleancloud scan <span class="se">\</span> <span class="nt">--provider</span> aws <span class="se">\</span> <span class="nt">--all-regions</span> <span class="se">\</span> <span class="nt">--output</span> json <span class="se">\</span> <span class="nt">--output-file</span> results.json </code></pre> </div> <h2> Example Output </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>cleancloud scan <span class="nt">--provider</span> aws <span class="nt">--region</span> us-east-1 🔍 Scanning region us-east-1 Found 12 findings: HIGH confidence: 8 MEDIUM confidence: 4 Top findings: • vol-0abc123 - Unattached volume <span class="o">(</span>45 days, 100GB<span class="o">)</span> - ~<span class="nv">$10</span>/mo • snap-0def456 - Old snapshot <span class="o">(</span>120 days, 500GB<span class="o">)</span> - ~<span class="nv">$25</span>/mo • log-group-xyz - Infinite retention <span class="o">(</span>2.1GB stored<span class="o">)</span> - ~<span class="nv">$6</span>/mo 💰 Estimated monthly waste: ~<span class="nv">$156</span> Review findings and decide what to delete. </code></pre> </div> <h2> CI/CD Integration </h2> <p>Built for pipelines with predictable exit codes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions example</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run hygiene scan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install cleancloud</span> <span class="s">cleancloud scan \</span> <span class="s">--provider aws \</span> <span class="s">--all-regions \</span> <span class="s">--fail-on-confidence HIGH</span> </code></pre> </div> <p><strong>Exit codes:</strong></p> <ul> <li> <code>0</code> = Success (no policy violations)</li> <li> <code>1</code> = Configuration error</li> <li> <code>2</code> = Policy violation (findings detected)</li> <li> <code>3</code> = Missing credentials</li> </ul> <p><strong>Use cases:</strong></p> <ul> <li>Block PRs with HIGH confidence findings</li> <li>Generate weekly hygiene reports</li> <li>Enforce tagging standards</li> <li>Prevent resource leaks in development</li> </ul> <h2> Authentication: OIDC First </h2> <p>No long-lived credentials needed:</p> <h3> AWS (GitHub Actions) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials (OIDC)</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::ACCOUNT:role/CleanCloudReadOnly</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cleancloud scan --provider aws</span> </code></pre> </div> <h3> Azure (GitHub Actions) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Azure Login (OIDC)</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_CLIENT_ID }}</span> <span class="na">tenant-id</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_TENANT_ID }}</span> <span class="na">subscription-id</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_SUBSCRIPTION_ID }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cleancloud scan --provider azure</span> </code></pre> </div> <p>No <code>AWS_SECRET_ACCESS_KEY</code> or <code>AZURE_CLIENT_SECRET</code> needed. ✅</p> <h2> What CleanCloud is NOT </h2> <p><strong>Not a cost optimization tool</strong></p> <ul> <li>Doesn't access billing data</li> <li>Doesn't recommend rightsizing</li> <li>Focuses on hygiene, not savings</li> </ul> <p><strong>Not a FinOps platform</strong></p> <ul> <li>No dashboards</li> <li>No cost tracking</li> <li>Just clean signals</li> </ul> <p><strong>Not an auto-remediation service</strong></p> <ul> <li>Will never delete anything</li> <li>Will never modify resources</li> <li>Will never tag resources</li> </ul> <p>This is a <strong>strategic design choice</strong>, not a limitation.</p> <h2> Privacy &amp; Telemetry </h2> <p><strong>CleanCloud collects zero telemetry.</strong></p> <p>No analytics. No tracking. No phone-home.</p> <p><strong>Why?</strong></p> <ul> <li>Security tools shouldn't send data anywhere</li> <li>Works in air-gapped environments</li> <li>No opt-out flags needed</li> <li>Zero risk of leaking account info</li> </ul> <p>We improve based on:</p> <ul> <li>GitHub issues</li> <li>Direct feedback</li> <li>Community contributions</li> </ul> <h2> What's Next </h2> <p><strong>v0.3.1</strong> just shipped with:</p> <ul> <li>Complete documentation overhaul</li> <li>Smarter AWS region auto-detection</li> <li>Enhanced diagnostics with security grading</li> <li>Fixed region detection bugs</li> </ul> <p><strong>Coming soon:</strong></p> <ul> <li>GCP support</li> <li>Additional rules (unused Elastic IPs, old AMIs)</li> <li>Rule filtering (<code>--rules</code> flag)</li> <li>Historical tracking</li> </ul> <p><strong>Not planned:</strong></p> <ul> <li>Automated cleanup</li> <li>Cost optimization</li> <li>Billing data access</li> </ul> <p>CleanCloud will remain focused on <strong>safe hygiene detection</strong>, not automation.</p> <h2> Design Philosophy </h2> <p>Three core principles:</p> <h3> 1. Conservative by Default </h3> <ul> <li>Age-based confidence thresholds</li> <li>Multiple signals required</li> <li>Prefer false negatives over false positives</li> </ul> <h3> 2. Read-Only Always </h3> <ul> <li>No Delete* permissions</li> <li>No Tag* permissions </li> <li>No modification APIs</li> <li>Safe for production</li> </ul> <h3> 3. Review-Only Recommendations </h3> <ul> <li>Findings are candidates for review, not automated action</li> <li>Clear reasoning for each finding</li> <li>Humans stay in control</li> </ul> <h2> Who Is This For? </h2> <p><strong>Primary users:</strong></p> <ul> <li>SRE teams</li> <li>Platform engineers</li> <li>Infrastructure teams</li> </ul> <p><strong>Stakeholders:</strong></p> <ul> <li>Security (read-only = passes security reviews)</li> <li>Compliance (SOC2/ISO27001 friendly)</li> <li>FinOps (identifies waste without aggressive optimization)</li> </ul> <p><strong>Not for:</strong></p> <ul> <li>Teams wanting auto-cleanup</li> <li>Cost optimization as primary goal</li> <li>Aggressive savings recommendations</li> </ul> <h2> Real Talk: Why I Built This </h2> <p>I've seen too many "smart" automation tools cause outages:</p> <ul> <li>Auto-scaler that scaled to zero during a traffic spike</li> <li>Cleanup tool that deleted "unused" security groups (broke production)</li> <li>Cost optimizer that downsized a database (performance disaster)</li> </ul> <p><strong>The pattern:</strong> Automation is confident. Humans are cautious. Production requires caution.</p> <p>CleanCloud is designed for <strong>teams who value trust over automation</strong>.</p> <h2> Try It </h2> <p><strong>GitHub:</strong> <a href="https://github.com/cleancloud-io/cleancloud" rel="noopener noreferrer">https://github.com/cleancloud-io/cleancloud</a><br><br> <strong>Install:</strong> <code>pip install cleancloud</code><br><br> <strong>Docs:</strong> Complete setup guides for AWS and Azure</p> <p><strong>Looking for feedback:</strong></p> <ul> <li>What cloud hygiene tools do you currently use?</li> <li>Would read-only signals be useful for your team?</li> <li>What features would make this production-ready for you?</li> </ul> <p>Open source, MIT license. Contributions welcome!</p> <p><strong>If you found this useful:</strong></p> <ul> <li>⭐ Star the repo</li> <li>💬 Share your cloud hygiene horror stories in the comments</li> <li>🐛 Report issues or suggest features</li> </ul> <p><strong>Built for SRE teams who value trust over automation.</strong></p> aws azure devops opensource