Rules
LeftSize includes 107 rules across AWS and Azure, organized into four categories. The Free plan includes 41 rules; the Pro plan includes all 107.
Categories
Cost Optimization
Identifies idle, underutilized, and over-provisioned resources where you can reduce spend without impacting workloads.
Security
Detects unencrypted storage, public access configurations, open network ports, and other security risks.
Governance
Checks for missing ownership tags, compliance gaps, and organizational policy violations.
Deprecations
Alerts you to outdated service versions and upcoming retirements so you can plan migrations before deadlines.
AWS Rules (59 total)
Cost Optimization (37 rules)
| Rule | Description | Plan |
|---|---|---|
| Inactive EC2 instance | EC2 instances with near-zero CPU utilization for 14+ days | Free |
| Underutilized EC2 instance | EC2 instances consistently below 5% CPU | Free |
| Unattached EBS volume | EBS volumes not attached to any instance | Free |
| Unused Elastic IP | Elastic IPs not associated with a running instance | Free |
| GP2 to GP3 migration | EBS volumes still using older gp2 type (gp3 is cheaper and faster) | Free |
| Idle RDS instance | RDS instances with near-zero connections for 14+ days | Free |
| Orphaned EBS snapshots | EBS snapshots whose source volume no longer exists | Free |
| EC2 scheduled shutdown missing | Non-production instances running 24/7 without auto-shutdown | Free |
| Unused Classic Load Balancer | CLBs with no healthy backend instances | Free |
| RDS Multi-AZ non-production | Non-production RDS instances using expensive Multi-AZ | Free |
| EBS io1/io2 overprovisioned | Provisioned IOPS volumes using far less IOPS than provisioned | Free |
| Orphaned RDS snapshots | Manual RDS snapshots for deleted databases | Free |
| S3 incomplete multipart uploads | Incomplete multipart uploads consuming storage | Free |
| S3 non-current versions | S3 buckets with excessive non-current object versions | Free |
| RDS auto-restart pending | Stopped RDS instances about to be auto-restarted by AWS | Free |
| Unused ALB | Application Load Balancers with no registered targets | Pro |
| EC2 outdated generation | Instances using previous-generation types (e.g., m4 instead of m6i) | Pro |
| S3 Intelligent Tiering missing | Large S3 buckets without Intelligent Tiering | Pro |
| S3 missing bucket key | S3 buckets without bucket keys (higher KMS costs) | Pro |
| S3 missing lifecycle policy | S3 buckets without lifecycle policies | Pro |
| RDS outdated version | RDS instances on end-of-life engine versions | Pro |
| RDS non-Graviton | RDS instances not using cost-effective Graviton processors | Pro |
| RDS excessive backup retention | RDS backup retention set beyond reasonable needs | Pro |
| RDS suboptimal storage type | RDS instances using suboptimal storage types | Pro |
| Lambda x86 architecture | Lambda functions not using ARM64 (Graviton) | Pro |
| Inactive NAT Gateway | NAT Gateways with minimal traffic | Pro |
| EBS delete-on-termination disabled | EBS volumes that will become orphaned when instance terminates | Pro |
| EBS attached to stopped EC2 | EBS volumes attached to long-stopped instances | Pro |
| EC2 non-Graviton | EC2 instances not using Graviton processors | Pro |
| io1 to io2 migration | EBS io1 volumes that should migrate to io2 (same price, better durability) | Pro |
| Spot instance eligible | Fault-tolerant workloads not using Spot instances | Pro |
| Missing VPC endpoint for S3 | VPCs without S3 gateway endpoints (paying data transfer fees) | Pro |
| Idle ECS container instances | ECS instances with no running tasks | Pro |
| Fargate Spot eligible | Fargate tasks eligible for Spot pricing | Pro |
| Multi-AZ non-prod EC2 | Non-production EC2 in multiple AZs unnecessarily | Pro |
| Unused Lambda function | Lambda functions with zero invocations for 30+ days | Pro |
| Idle DynamoDB table | DynamoDB tables with zero read/write for 30+ days | Pro |
| Idle ElastiCache cluster | ElastiCache clusters with zero connections for 14+ days | Pro |
Security (5 rules)
| Rule | Description | Plan |
|---|---|---|
| Public S3 access | S3 buckets with public access enabled | Pro |
| Unencrypted S3 buckets | S3 buckets without server-side encryption | Pro |
| Open security groups | Security groups with unrestricted inbound access (0.0.0.0/0) | Pro |
| Unencrypted EBS volumes | EBS volumes without encryption | Pro |
| Unencrypted RDS instances | RDS instances without encryption at rest | Pro |
Governance (5 rules)
| Rule | Description | Plan |
|---|---|---|
| Missing ownership tags (EC2) | EC2 instances missing required ownership tags | Free |
| Missing ownership tags (S3) | S3 buckets missing required ownership tags | Free |
| Missing ownership tags (RDS) | RDS instances missing required ownership tags | Free |
| Missing ownership tags (EBS) | EBS volumes missing required ownership tags | Free |
| Missing ownership tags (ELB) | Load Balancers missing required ownership tags | Free |
Deprecations (6 rules)
| Rule | Description | Plan |
|---|---|---|
| Lambda deprecated runtime | Lambda functions using end-of-life runtimes | Free |
| ElastiCache EOL Redis | ElastiCache Redis clusters on unsupported versions | Free |
| OpenSearch outdated version | OpenSearch domains on outdated versions | Free |
| EKS outdated version | EKS clusters on unsupported Kubernetes versions | Free |
| Pinpoint deprecated | Amazon Pinpoint approaching retirement (Oct 2026) | Free |
| Timestream deprecated | Amazon Timestream for LiveAnalytics retirement | Free |
Pro-only extras (3 rules)
| Rule | Description | Plan |
|---|---|---|
| ECR no lifecycle policy | ECR repositories without image lifecycle policies | Pro |
| CloudWatch Logs no retention | Log groups without retention policies (storing logs forever) | Pro |
| Secrets Manager unused | Secrets Manager secrets not accessed in 90+ days | Pro |
| ACM certificate expiring | ACM certificates approaching expiration | Pro |
Azure Rules (48 total)
Cost Optimization (21 rules)
| Rule | Description | Plan |
|---|---|---|
| Idle VM | Virtual machines with near-zero CPU for 14+ days | Free |
| Unattached disk | Managed disks not attached to any VM | Free |
| Unused public IP | Public IPs not associated with a resource | Free |
| Hybrid Benefit missing | VMs eligible for Azure Hybrid Benefit but not using it | Free |
| Idle App Service Plan | App Service Plans with low utilization | Free |
| Orphaned snapshots | Disk snapshots whose source disk no longer exists | Free |
| Stopped VM storage costs | Deallocated VMs still paying for premium disks | Free |
| VM scheduled shutdown missing | Non-production VMs without auto-shutdown configured | Free |
| Inactive Load Balancer | Load Balancers with no backend pool members | Free |
| SQL Business Critical non-prod | Non-production SQL databases using expensive Business Critical tier | Free |
| App Gateway idle | Application Gateways with no backend targets | Free |
| Redis Cache underutilized | Azure Cache for Redis instances with near-zero usage | Free |
| SQL Elastic Pool underutilized | Elastic Pools with minimal database activity | Free |
| Idle App Service Plan (no apps) | App Service Plans with zero apps deployed | Pro |
| Outdated App Service Plan | App Service Plans using previous-generation SKUs | Pro |
| VM outdated series | VMs using older series (e.g., Dv2 instead of Dv5) | Pro |
| Storage suboptimal tier | Storage accounts using more expensive tiers than needed | Pro |
| VM ARM architecture | VMs eligible for ARM-based (Ampere) instances | Pro |
| Disk Performance Plus missing | Premium disks not using Performance Plus | Pro |
| SQL Hybrid Benefit missing | SQL databases eligible for Hybrid Benefit | Pro |
| SQL Elastic Pool empty | Elastic Pools with no databases | Pro |
| ACR no lifecycle policy | Container registries without image cleanup policies | Pro |
Security (8 rules)
| Rule | Description | Plan |
|---|---|---|
| Anonymous blob access | Storage accounts allowing anonymous blob access | Pro |
| Storage HTTP allowed | Storage accounts allowing unencrypted HTTP | Pro |
| Storage outdated TLS | Storage accounts using TLS versions below 1.2 | Pro |
| Storage public network access | Storage accounts with unrestricted network access | Pro |
| Public storage access | Storage accounts with public access enabled | Pro |
| Unencrypted storage | Storage accounts without encryption | Pro |
| Open network ports | NSGs with unrestricted inbound access | Pro |
| Unencrypted disks | Managed disks without encryption | Pro |
Governance (7 rules)
| Rule | Description | Plan |
|---|---|---|
| Missing ownership tags (VM) | VMs missing required ownership tags | Free |
| Missing ownership tags (Storage) | Storage accounts missing required ownership tags | Free |
| Missing ownership tags (SQL) | SQL databases missing required ownership tags | Free |
| Missing ownership tags (Disk) | Managed disks missing required ownership tags | Free |
| Missing ownership tags (AKS) | AKS clusters missing required ownership tags | Free |
| Missing ownership tags (Resource Group) | Resource groups missing required ownership tags | Free |
| Key Vault certificate expiring | Key Vault certificates approaching expiration | Pro |
Deprecations (8 rules)
| Rule | Description | Plan |
|---|---|---|
| AKS outdated version | AKS clusters on unsupported Kubernetes versions | Free |
| MariaDB deprecated | Azure Database for MariaDB retirement (Sep 2025) | Free |
| Basic Load Balancer deprecated | Basic Load Balancer SKU retirement (Sep 2025) | Free |
| Application Gateway v1 deprecated | App Gateway v1 SKU retirement (Apr 2026) | Free |
| Standard HDD OS disk retirement | Standard HDD managed disks for OS retirement (Sep 2028) | Free |
| NVv4 series retirement | NVv4-series VM retirement (Sep 2026) | Pro |
| Functions Linux Consumption retirement | Functions Linux Consumption plan retirement (Sep 2028) | Pro |
| SQL DTU model | SQL databases using legacy DTU pricing model | Pro |
Kubernetes (AKS) Optimization (5 rules)
| Rule | Description | Plan |
|---|---|---|
| Orphaned Kubernetes resources | Orphaned PVCs, Services, and ConfigMaps in AKS | Pro |
| Overprovisioned AKS nodes | AKS node pools with excessive unused capacity | Pro |
| Cluster autoscaler disabled | AKS clusters without cluster autoscaler | Pro |
| AKS using expensive VM sizes | AKS nodes using unnecessarily expensive VM sizes | Pro |
| AKS dev clusters always running | Development AKS clusters running 24/7 | Pro |