Finding unused AWS resources is easy. Building a multi-tenant SaaS that does it securely across hundreds of AWS accounts without hardcoding credentials is the real engineering challenge.
When I started building Cloud Waste Hunter, the primary constraint was security. I couldn't ask users for permanent IAM Access Keys. The solution was implementing Cross-Account AWS scanning via STS AssumeRole. By providing an external ID and a strict, read-only IAM policy template, the system dynamically assumes roles across customer environments, scans resources (EC2, RDS, EBS, IAM), and drops the temporary credentials.
For the backend, I avoided heavy container orchestration. The entire core is serverless: Next.js API routes trigger AWS Lambda functions for heavy scanning workloads, passing the results to a structured data lake using AWS Glue and Athena for cost analytics.
But identifying waste isn't enough; remediation is the bottleneck. Instead of writing hundreds of regex rules, I integrated Claude on AWS Bedrock to analyze over-permissive IAM policies and generate exact, copy-pasteable CLI commands to fix them. The result is a highly scalable FinOps engine built entirely on native AWS primitives.
