Product

Automating AWS Cost Optimization with an AI Agent: From Monthly Audits to Daily Savings

Part three of our AWS cost optimization series. You know the seven leaks and you can audit them manually — but waste regenerates daily while audits happen monthly. This post shows how the CloudThinker CostOps agent closes that gap: connect AWS with a read-only IAM role in about five minutes, scan all seven waste sources continuously, and control every change through graduated autonomy (Notify, Suggest, Approve, Autonomous) with a full audit trail. Includes a realistic first-analysis findings table for a mid-market account, sample prompts to try with Alex, and a plain-spoken section on what the agent will not do without your approval.

·
awscostoptimizationfinopscostopsaiagentagenticfinopscloudthinker
Cover Image for Automating AWS Cost Optimization with an AI Agent: From Monthly Audits to Daily Savings

Automating AWS Cost Optimization with an AI Agent: From Monthly Audits to Daily Savings

This is part three of our AWS cost optimization series. Part one mapped the seven places AWS bills leak. Part two walked through auditing all seven with native tools — Cost Explorer, Trusted Advisor, Compute Optimizer, CloudWatch, and the CLI.

If you ran that audit, you now have a findings document and a problem: the audit took hours, the findings started decaying the moment you exported them, and every fix still needs a ticket. Meanwhile the waste regenerates daily — every deploy can orphan a volume, every scale-up can open a coverage gap. Monthly audits versus daily waste is a losing race.

This article covers the automation step: how CloudThinker's CostOps agent runs those same seven checks continuously, what its first analysis of a typical account looks like, and — just as important — what it will not do without your approval.

How the CostOps agent works

Connection: a read-only IAM role, about 5 minutes

CostOps connects to AWS the way your security team would insist on anyway: a cross-account IAM role with read-only permissions. No agents on instances, no credentials stored, no write access at connection time. You create the role from a provided template, paste the role ARN, and the first scan starts. The whole flow takes about five minutes — the connection guide on docs has the exact policy JSON so your security review can see precisely what is (and isn't) granted.

Continuous scanning of all seven waste sources

Once connected, the agent runs the same checks you did manually in part two — continuously, across every region:

  1. Unattached EBS volumes and orphaned snapshots
  2. Idle or oversized EC2 instances (low CPU over 30 days)
  3. Reserved Instance / Savings Plans coverage gaps
  4. Unused Elastic IPs and idle load balancers
  5. Over-provisioned RDS instances
  6. Data transfer costs (cross-AZ, NAT gateway)
  7. Non-production environments running 24/7

The difference from your manual audit isn't the checks — it's the cadence. A volume orphaned on Tuesday is a finding on Tuesday, not a line in next quarter's audit. Findings carry the same evidence you'd gather yourself: the metrics window, the current cost, the projected saving as a range.

Graduated autonomy: you decide what the agent may touch

Every remediation type has an autonomy level you set per environment:

  • Notify — the agent reports the finding. Nothing else. (The default for everything.)
  • Suggest — the agent proposes the specific remediation with projected impact and rollback notes.
  • Approve — the agent prepares the action and executes only after a named human clicks approve.
  • Autonomous — the agent executes and reports. Most teams reserve this for provably-safe, reversible actions in non-prod — deleting a snapshotted unattached volume in staging, say — after weeks of watching the agent be right at the Approve level.

Every action, at every level, lands in an audit trail: what was found, what was proposed, who approved, what changed, when. Nothing about your part-two audit skills is wasted here — you're reviewing the same evidence, minus the hours of collecting it.

What the first analysis typically returns

Numbers below are illustrative — a composite of what a first scan tends to surface on a mid-market account around $60K/month. Your account will differ.

Finding Detail Est. monthly impact
Unattached EBS volumes 23 volumes, 4.1 TB, oldest 14 months ~$380
Orphaned snapshots 1,900 snapshots past any plausible retention ~$640
Idle/oversized EC2 14 instances under 10% avg CPU over 30 days ~$3,100
Savings Plans gap Coverage at 41%; stable baseline supports ~75% ~$4,800
EIPs + idle ALBs 11 unassociated EIPs, 3 ALBs at near-zero requests ~$110
Over-provisioned RDS 2 db.r5.2xlarge at 8% CPU → db.r5.xlarge ~$1,050
NAT gateway traffic 18 TB/month, mostly S3 — VPC endpoint candidate ~$1,300
Non-prod running 24/7 Staging + dev fleets, no schedule ~$5,200

That's roughly $16,500/month identified on day one — about a quarter of the bill — before deeper architectural items. Notice the shape: two boring line items (Savings Plans coverage and non-prod scheduling) dominate, which matches what you'd find manually. The agent's value isn't exotic findings; it's that this table refreshes itself every day and each row arrives with a proposed, approval-gated fix.

Prompts to try in your first session

CostOps is conversational — you ask Alex, CloudThinker's cost engineering agent, in plain language:

  • @alex analyze spending trends over the last quarter and flag anything growing faster than 10% month-over-month
  • @alex identify unattached volumes and unused elastic IPs across all regions
  • @alex recommend reserved instance purchases for stable workloads, with break-even analysis
  • @alex which non-production resources ran between midnight and 6am last week?
  • @alex estimate what a gateway VPC endpoint for S3 would save on our NAT gateway costs

Each answer cites the underlying data — the same Cost Explorer and CloudWatch evidence from part two — so you can verify rather than trust.

What the agent does not do

Worth stating plainly, because "AI agent with access to prod" should make you ask:

  • It is read-only by default. The connection role grants no write permissions. Remediation requires you to explicitly grant scoped write access and set an autonomy level above Notify.
  • It does not delete, resize, or purchase without approval unless you have deliberately set that specific action class to Autonomous for that specific environment.
  • It does not touch anything unfindable in the audit trail. Every proposed and executed action is logged with its evidence and approver.
  • It does not replace judgment on architectural questions. It will tell you the NAT gateway is processing 18 TB of S3 traffic; whether to re-architect the VPC is an engineering decision, and it stays yours.

If you did the part-two audit manually, the right mental model is: the agent is that audit, running daily, with a remediation queue attached — not an autopilot you hand the keys to on day one.

From audit to habit

You know where AWS bills leak. You know how to audit every leak with native tools. The remaining gap is cadence — and that's an automation problem, not an effort problem. Teams that move from monthly manual reviews to continuous, approval-gated optimization typically reduce their AWS bill by 30–50% over the following months, with the biggest wins from coverage and scheduling.

Try CloudThinker free — 100 premium credits, no card required — and follow the connection guide to see your own account's first findings table within the hour.