Why
Automated enforcement catches waste on day one. Enforced auto-shutdown of non-production environments is more effective than voluntary compliance. Policies that prevent waste at provisioning are cheaper than recommendations that fix it after the fact.
What
Deploy automations for common optimisation actions that don’t require human judgment — scheduled shutdown of non-prod, cleanup of unattached resources, and policy-based prevention.
How
Implement Non-Prod Shutdown Schedules
| Provider | Tool | Mechanism |
|---|---|---|
| AWS | Instance Scheduler or EventBridge+Lambda | Stop tagged instances at 19:00, start at 07:00 weekdays |
| Azure | Start/Stop VMs (Azure Automation) | Runbook targets auto-shutdown: true tagged VMs |
| GCP | Cloud Scheduler + Cloud Functions | Function stops/starts labelled instances on schedule |
Target: all dev and sbx environments by default. stg opt-in. prod never auto-stopped. Expected savings: ~65% on non-prod compute.
Automate Cleanup of Unattached Resources
| Resource Type | Detection | Action |
|---|---|---|
| Unattached EBS volumes | AWS Config rule / CUR query | Alert → 7 days → snapshot → delete |
| Unattached Azure disks | Azure Policy / Resource Graph | Alert → 7 days → snapshot → delete |
| Old snapshots (>90 days) | Age-based query per provider | Alert → owner review → delete |
| Idle load balancers | Zero target count for >7 days | Alert → owner review → delete |
Deploy Prevention Policies
| Policy | Effect |
|---|---|
| Deny unapproved instance types | Prevents expensive GPU instances in dev |
Require auto-shutdown tag on non-prod | Ensures scheduling eligibility |
| Block public storage buckets | Prevents accidental data exposure + egress costs |
Deliverable Checklist
- Non-prod shutdown schedules deployed (all providers)
- Unattached resource cleanup automation active
- Old snapshot cleanup automation active
- Prevention policies deployed (instance types, storage access)
- Savings from automation tracked monthly