How to Identify Unowned AWS Resources
The resources nobody claims are the ones that cost the most
Every AWS environment has them: orphaned resources, zombie instances, abandoned buckets — resources that are running, incurring cost, and sitting outside anyone's active awareness. Not necessarily abandoned — sometimes actively used — but without a clear, current owner who is responsible for their cost, their security posture, and the decision of whether they should still exist.
Identifying unowned resources is harder than it sounds. The naive approach — find everything without an owner tag — misses most of the problem. And the tools AWS provides for the task, while useful, break down at the scale where the problem is most costly. Here's a systematic way to think about it.
What "Orphaned" or "Unowned" Actually Means
A resource isn't unowned just because it lacks an owner tag. It's unowned when there is no team or individual who:
- Knows the resource exists
- Is actively making decisions about it
- Would be paged if something went wrong with it
- Would notice if it disappeared from the billing report
This is an important distinction. A resource can have an owner tag that points to a team that no longer exists, a person who left six months ago, or a project that was shut down last quarter. The tag says "owned." The reality says otherwise.
Conversely, a resource with no owner tag might be actively managed by a team that just never got around to tagging it. No tag doesn't automatically mean no owner.
Ownership is a relationship between a resource and a team, not a tag value. Finding unowned resources means surfacing where that relationship has broken down — with or without a tag present.
Why It's Harder Than It Looks
Several forces work against ownership clarity in real AWS environments:
Scale
A mid-sized engineering organization running AWS seriously will have tens of thousands of resources across dozens of accounts and regions. The idea of manually reviewing ownership for each one is not a plan — it's a project that never gets done.
Team turnover and reorganization
Resources outlive the people who created them. A database provisioned by an engineer who left two years ago might be critical infrastructure — or it might be a forgotten development environment still running at full capacity. The tag still says their name. The resource is effectively unowned.
Multi-account complexity
AWS Organizations spreads resources across account boundaries in ways that make a unified view of ownership difficult. Cost allocation works across accounts via consolidated billing, but ownership attribution doesn't come with it by default. Each account may have its own tagging convention — or none at all.
Tag drift
Tags decay. What was accurate at resource creation becomes stale as teams reorganize, projects end, and infrastructure changes. An owner tag that was correct twelve months ago may not reflect reality today. There's no built-in mechanism in AWS to detect or correct this.
The Manual Approaches — and Where They Break Down
AWS provides several tools that can help identify untagged or unattributed resources. They're worth knowing, even if they don't fully solve the problem.
AWS Tag Editor
Tag Editor lets you search for resources across services and regions and filter by tag key or value. It's useful for finding resources that are missing a specific tag entirely — for example, everything in us-east-1 without an owner tag.
The limitation: it only shows you what tags are or aren't present. It doesn't tell you whether the tags that exist are accurate. A resource tagged owner: platform-team looks fine in Tag Editor even if the platform team was dissolved last year.
AWS Config
Config can be used to create rules that flag resources violating tagging requirements — for example, any EC2 instance without a required cost-center tag. Combined with conformance packs, you can enforce tag presence across your organization.
The limitation: like Tag Editor, it enforces structure, not accuracy. It also operates prospectively — it catches new violations but doesn't resolve the backlog of existing untagged resources that accumulated before the rule existed.
AWS Cost Explorer and the Cost and Usage Report
The CUR is the most complete record of what's running and what it costs. Filtering by "no tag" or grouping by tag key reveals spend that isn't attributed to anything. This is often the first place teams realize the unowned resource problem is material — when they see a meaningful percentage of spend with no tag to explain it.
The limitation: the CUR shows you financial impact but doesn't help you resolve it. Seeing that 30% of your spend is untagged doesn't tell you who should own those resources.
IAM Access Analyzer and CloudTrail
CloudTrail logs can be used to find the last person or role to interact with a resource, which is a useful ownership signal. IAM Access Analyzer can surface resources that are externally accessible, which is security-relevant but not directly an ownership tool.
The limitation: this approach requires significant query work and doesn't scale to continuous monitoring without substantial investment in tooling.
Signals That Indicate Ownership (or Its Absence)
Finding unowned resources systematically means looking at a combination of signals, not just tag presence. The most useful signals:
- Account structure. Resources in a team-named account carry an implicit ownership signal. A resource in
prod-paymentsis almost certainly owned by the payments team, regardless of its tags. - Naming conventions. Many organizations use naming patterns that embed ownership information —
api-gateway-checkoutorml-training-data-science. These are imperfect but meaningful. - IAM context. The role used to create or last interact with a resource often maps to a team or individual. Cross-referencing IAM role naming with team structure is a reliable signal for recently active resources.
- Usage activity. A resource with zero invocations in 90 days is more likely to be unowned than one that processes traffic daily. Low or zero activity is a strong unowned indicator, especially for compute and storage resources.
- Tag freshness. When a tag was last updated relative to team changes is a signal that existing tags may be stale even if they appear valid.
No single signal is conclusive. The most reliable approach uses all of them together to produce an ownership inference that can be reviewed and confirmed rather than assumed.
A Systematic Approach
Rather than a one-time audit, the goal is a continuous process. The practical steps:
1. Start with financial impact
Pull your CUR and filter for spend with no owner tag (or whatever your equivalent ownership tag is). Sort by cost, descending. The top of that list is where you focus first — the unowned resources that are most expensive. This is a triage exercise, not a comprehensive census.
2. Apply environmental signals
For each high-cost untagged resource, check account name, resource name, and the last IAM principal to interact with it. In most cases, two or three of these signals will point strongly toward a team. Document the inference — you'll need someone to confirm it.
3. Route for confirmation
Take your inferred ownership list to the likely owner teams and ask them to confirm or correct. This is the step most automated approaches skip and most manual approaches get bogged down in. Keep it lightweight: a shared doc or spreadsheet with a column for confirmation is enough to start.
4. Apply tags and track coverage
Once ownership is confirmed, apply tags. Track tag coverage as a metric over time — what percentage of spend is attributed. Watch for it to drift and treat drift as a signal that new unowned resources have entered the environment.
5. Build toward continuous inference
The manual process above works once. It doesn't scale to an environment where dozens of new resources are created every week. Continuous ownership inference — automatically detecting unowned resources as they appear and surfacing them for review — is the only sustainable approach at scale.
What To Do Once You've Found Them
Finding unowned resources opens three options for each one:
- Assign ownership. A team confirms they're responsible. Tag the resource. The resource graduates from "unowned" to "owned and attributed."
- Terminate it. Nobody recognizes it. It has zero recent activity. Terminate and recover the cost. This is often the right call for development and test resources that outlived their purpose.
- Investigate further. Nobody recognizes it, but it has active traffic or connections. Before terminating, investigate whether it's a dependency no one knew about. Unowned resources with active traffic are both a governance failure and a potential security concern.
The goal is not to tag everything. The goal is to ensure every resource has an accountable owner who can make the decision of whether it should exist.
Making It Continuous
A one-time audit of unowned resources is better than nothing, but it's a ceiling, not a floor. Without a continuous process, tag coverage that improves this quarter will decay next quarter as new resources are created without owners.
The teams that solve this durably treat ownership as an operational discipline rather than a cleanup project — with automatic inference to detect new gaps, human review to confirm attributions, and consistent tagging to record and maintain what's been established.
Disipate is built around this loop. If your team is ready to move from a one-time audit to continuous ownership intelligence, we're open to a conversation.