Sandbox accounts that clean themselves.

An engineering org had 140 sandbox AWS accounts and a $42k/month sandbox bill. Most of the spend was in twelve accounts whose owners had left the company. We built a lifecycle pipeline that watches for ownership, sets budgets, and decommissions silently.

INDUSTRY

Internal engineering org

DOMAIN

LANDING ZONE

DELIVERED

2024

STACK

AWS ORGANIZATIONS·BUDGETS·LAMBDA·STEP FUNCTIONS·COST ANOMALY DETECTION·SES·NUKE

RESULTS

What changed, by the numbers.

SANDBOX BILL

−68%

$42K → $13K / MONTH

ACCOUNTS DECOMMISSIONED

IN 60 DAYS

ORPHANED ACCOUNTS

CONTINUOUSLY VERIFIED

BUDGET ENFORCEMENT

ACTIVE

SOFT/HARD LIMITS PER ACCT

HOW IT WENT

The first ownership audit was the smelly part. Twelve accounts had departed-employee email addresses on file. Several had budgets set to $100,000 in error. One was running a forgotten GPU training job that had been billing $80/day for fourteen months.

The pipeline now checks ownership on a quarterly cycle: email the owner via SES, require a human-in-the-loop "I still need this" response, escalate to their manager, then decommission via AWS Nuke after a 30-day grace period. Cost anomalies trigger immediate review.

The bill dropped from $42k to $13k in two months. Ongoing decay stays under control because the pipeline runs continuously. The engineering org has the same 140 accounts now, but only the ones people actually use.

RELATED · SAME DOMAIN

Other engagements in this space.

SAFFRON · 2024

A GovCloud footprint, established before the contract started.

ON TIMETIME TO CONTRACT START

LARCH · 2026

Guardrails that fail the deploy, not the audit.

−96%POST-DEPLOY VIOLATIONS

PREVIOUSPARALLEL — Off Heroku, onto a bill that scales.NEXT ASPEN — EU customer data that stays in the EU, demonstrably.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →