🗓️
2025
Cloud Overwatch
By Kaushiik Arul Cloud & Full-Stack Developer | Passionate about CloudOps, Automation, and Serverless Systems

Abstract
Cloud Overwatch is a serverless, event-driven solution designed to reduce cloud waste by automating the deletion of expired AWS resources. Built with AWS Lambda, EventBridge, and DynamoDB, it uses a tag-based lifecycle (overwatch-delete-after) to identify temporary resources. This project addresses the $44.5 billion annual problem of idle cloud resources by acting as a secure, automated "cloud janitor."
Introduction: The "Why"
"It started with a bill."
A few months ago, while experimenting with AWS, I realized something painful — I had spun up a few EC2 instances, an RDS database for testing, and a couple of S3 buckets… and forgot about them.
Weeks later, an inflated AWS bill showed up. It wasn’t huge, but it was enough to make me pause and think: “If I can forget to turn things off, how many teams out there are doing the same thing?”
Turns out — quite a lot.
The Cost of Waste: According to multiple reports, companies waste between 20% and 30% of their cloud budgets every year on idle resources.
The Market Data: A 2025 study by Harness estimated this inefficiency costs around $44.5 billion annually.
The Struggle: Flexera’s State of the Cloud Report revealed that 84% of organizations still struggle to manage cloud spend effectively.
Every cloud developer has been there. Those "temporary" EC2s and databases quietly keep running long after the sprint is over.
The Problem Statement
DevOps engineers usually try to stay on top of this by:
Manually checking the AWS console.
Writing cleanup scripts that break when infrastructure changes.
Using open-source tools like Cloud Custodian that require maintenance.
The Truth: Manual cleanup doesn’t scale. In fast-moving environments, forgotten resources increase security risks, management overhead, and developer fatigue. I wanted to build something simple, secure, and smart enough to act like a cloud janitor quietly working in the background.
The Solution: Cloud Overwatch
Cloud Overwatch is an automated system that detects and cleans up unused AWS resources without constant babysitting.
The Core Philosophy
Serverless First: Using Lambda and EventBridge keeps everything lightweight and cost-efficient (costs virtually nothing when idle).
Security First: It uses a cross-account IAM role via AWS STS (Security Token Service). No access keys, no permanent credentials—just temporary permissions.
Human-in-the-loop: Automation needs a safety net. Before deletion, users get a notification to review or "snooze" the cleanup.
Architecture & Tech Stack
The Stack:
Compute/Orchestration: AWS Lambda, Amazon EventBridge
Database: Amazon DynamoDB (metadata), RDS (logs)
Frontend: Next.js (hosted on Vercel)
Notifications: Amazon SES, Slack Webhooks
System Architecture: The platform runs fully serverless. The frontend interacts with AWS APIs through secure endpoints, while the backend logic is event-driven.

Implementation: How It Works
The workflow is a simple 5-step process built entirely on AWS-native services.
1. Connect Users securely connect their AWS account using a cross-account IAM role. This follows the "AssumeRole" pattern used by enterprise tools like Datadog.

2. Tag Developers tag temporary resources with a specific key. This leverages the native AWS tagging system developers are already used to.
3. Monitor A Lambda function (triggered by EventBridge) scans tagged resources across regions and stores the details in DynamoDB.

4. Automate Once a day, EventBridge triggers the cleanup job. If a resource's expiry date has passed, it is deleted automatically via AWS SDK calls.
5. Notify Before deletion, users receive an alert (Email or Slack) with an option to snooze the cleanup if they need more time.
Challenges & Learnings
Building Cloud Overwatch taught me much more than just API integration.
Cloud waste is easy to overlook: Even small resources add up. Cost awareness must be part of development, not just operations.
Serverless isn’t hands-off: While Lambda simplifies scaling, you still need to handle timeouts, retries, and error monitoring carefully.
Security is architectural: Using cross-account access reinforced the importance of least-privilege IAM roles. Security should be built-in, not added later.
Automation needs a human touch: The "snooze before delete" feature is critical. Safe automation always includes a feedback loop.
Conclusion
What started as a script to fix my own billing mistake turned into a robust lesson in CloudOps. Cloud Overwatch focuses on reliability, event-driven workflows, and clean IAM boundaries to solve a $44 billion industry problem.
Check out the code and contribute here: GitHub: Kaushiik-13/CloudOverwatch