Cloud platforms make it trivial to spin up resources, and equally trivial to forget you ever did. EC2 instances from a project that ended two years ago, S3 buckets created during a hackathon, Lambda functions deployed by a developer who has since left, Azure resource groups that nobody is sure about.
Why Forgotten Resources Are Dangerous
An asset that nobody owns receives no patches, no monitoring, no security review, and no cleanup when something changes around it. The original developer documented none of it, the team that uses it has long since moved on, and the service principal it runs as still has the elevated permissions it was granted in 2020.
How They Accumulate
Cloud resources accumulate through ordinary work. A proof of concept never gets cleaned up. A team gets reorganised and ownership of their resources falls through the cracks. An acquisition brings in another organisation’s cloud accounts that take years to fully integrate.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“When I run a cloud assessment for a new client, the resources nobody can fully account for typically outnumber the ones they can. Not because the team is incompetent, but because cloud platforms make creation easy and decommissioning hard.”
Tagging Discipline Helps but Is Not Enough
Strong tagging policies are the obvious answer: every resource carries owner, project, environment, and review-by tags. In practice, tagging compliance drops over time, exceptions accumulate, and resources created through automation often inherit incomplete tag sets.
Cost as a Discovery Signal
Finance teams often spot orphaned resources before security teams do. A persistent line item nobody can explain, a sudden spike in a region where the business does not operate, or a billing tag that does not match any active project all serve as useful signals.
Cleanup Has to Be Safe
Killing a forgotten resource sometimes turns out to be a bad idea. The function nobody remembers may still get called occasionally by another system. The bucket nobody owns may contain data that someone else relies on. Deletion has to follow a discovery and validation process.
Building It Into the Calendar
Set a quarterly cadence for cloud cleanup activities. Run discovery, compare to the active inventory, identify candidates for review, and work through them systematically. Treat the exercise as part of normal operations rather than a special project.