AWS Cost & Resource Audit — 2026-04-19

Phase 7 partial — Cloudflare zone import (BLOCKED 2026-04-19 22:31 EDT)

• Attempted to create Cloudflare zone for raydata.co and import the 12 founder-approved KEEP records ahead of a morning NS swap at the registrar.
• Blocked at zone creation. POST /zones returned HTTP 403:
  • Requires permission "com.cloudflare.api.account.zone.create" to create zones for the selected account
• The current CloudFlare - claude-rdco token (1Password vault Ray Agent, last edited 2026-04-20T01:22Z) has zone-level Zone:Edit but lacks account-level Zone:Edit, which is what grants zone create. No zone was created. No records were imported. Route 53 remains authoritative.
• The KEEP/DROP record list (founder-approved tonight) is preserved in ~/.claude/state/raydata-co-cloudflare-ns.txt along with the exact founder action needed to unblock (mint/extend the token to include account-level Zone:Edit, save back to the same 1Password notesPlain field, then re-dispatch the import — the wrapper reads 1Password fresh on every call so no restart needed).
• Founder action tomorrow morning (in this order):
  1. Extend token scope (account-level Zone:Edit)
  2. Update 1Password (overwrite the api token: line)
  3. Re-dispatch the import agent — runs end-to-end in <2 min
  4. THEN swap nameservers at the registrar (NS values surface in the same state file once the zone is created)
• Do NOT swap nameservers yet — there is no Cloudflare zone to swap to.

Phase 5 — measured-improvement S3 (DONE 2026-04-20)

• Bucket measured-improvement emptied: 603 objects (388.6 MB) deleted via aws s3 rm --recursive
• Bucket deleted via aws s3api delete-bucket; confirmed gone (aws s3 ls now shows only baw-east + raydataco)
• Local copy intact at ~/Documents/chris-albon-flashcards/ (603 files, 372 MB) — verified by founder before drop
• Cost saved: ~$0.009/mo (370 MB at S3 standard)
• Wall clock: ~2 min (recursive object delete dominated)

Phase 6 — Route 53 stale records purge (DONE 2026-04-20)

• Atomic change batch deleted 11 records in zone Z06829061A1PWB3KEA562 (raydata.co):
  • autodiscover.raydata.co CNAME → autodiscover.outlook.com (legacy Outlook discovery; founder on Google Workspace)
  • 7 SES records: _amazonses TXT, 3x DKIM CNAMEs (hx5hh..., nulfx..., uiqxz...), send.raydata.co MX/TXT, _997664...assets.raydata.co CNAME (ACM cert validation)
  • 2 Postmark records: 20200527223933pm._domainkey TXT, pm-bounces CNAME pm.mtasv.net
  • newsletter.raydata.co A (3 IPs: 3.13.222.255, 3.13.246.91, 3.130.60.26 — old 3rd-party EC2)
• ChangeId C02465662GGIADGHWGJ7A accepted PENDING at 2026-04-20T02:29:59Z
• KEPT (per task instructions): cka._domainkey CNAME + ckespa CNAME (ConvertKit; migration planned later), assets.raydata.co A (CloudFront — Phase 7 cutover), apex SOA/NS
• Final zone: 15 records remaining (apex + Google Workspace + Resend + ConvertKit + assets/sc/www + GitHub challenge + DMARC)
• DEFERRED — _dmarc.raydata.co TXT: still contains rua=mailto:re+n0y3iw5zy2e@dmarc.postmarkapp.com. Did not act unilaterally — DMARC policy affects all sending senders (Resend is still active). Founder should choose: drop the record, replace with v=DMARC1; p=none; placeholder, or retarget rua= to a Resend/Google Workspace reporter.
• Cost saved: $0/mo (Route 53 charges per zone, not per record)
• Wall clock: ~1 min

Phase 8 — EC2 terminations + IGW cleanup (DONE 2026-04-20)

• Terminated 4 stopped t1.micro instances from 2014-2015: i-4bc82865, i-c148c320, i-f03fe601, i-97838266 — all confirmed terminated immediately
• Discovered 1 orphan unattached IGW igw-11f3e273 in us-east-1 (no tags, no attachments, leftover from Classic-EC2 era — Phase 2 cleanup didn’t catch it because it wasn’t attached to any tracked VPC) — deleted
• Final us-east-1 state: 0 VPCs, 0 subnets, 0 ENIs, 0 IGWs, 0 EC2 instances (terminated states retained for AWS’s 60-day window — they fall off automatically)
• Cost saved: $0/mo (stopped instances were already free; this is hygiene)
• Wall clock: ~1 min
• VPCs noted in original audit (vpc-08e94e731c29d150b, vpc-d71520b2, vpc-032085b8f73ae1b51, vpc-57d5c635) all already deleted by Phase 2 — no work needed here

Phase 9 — IAM aws-baw user deletion (DONE 2026-04-20)

• User aws-baw (created 2015-09-06): no attached policies, no inline policies, no group memberships, no MFA, no signing certs, no SSH keys, no service creds, no login profile
• Sole credential: 1 access key AKIAIJOXFKHTTMKKFOVQ (created 2015-09-06, status Active until tonight) — deleted
• User deleted; confirmed gone from aws iam list-users
• Cost saved: $0/mo (security hygiene — that 11-year-old key is no longer a liability)
• Wall clock: <1 min

Phase 10 — Lambda AWSIOTButton deletion (DONE 2026-04-20)

• Function AWSIOTButton (nodejs4.3, last modified 2016-08-24, deprecated runtime since 2020): deleted via aws lambda delete-function
• Confirmed via aws lambda list-functions → empty
• Cost saved: $0/mo (no invocations); cleanup eliminates the deprecated-runtime warning
• Wall clock: <1 min

Phase 4 — raydataco → Cloudflare R2 (PARTIAL 2026-04-20)

• R2 bucket raydataco-assets created (account 4d0d..., default Standard storage class)
• 74 files / 25.41 MB uploaded (note: source had 146 entries on disk but 72 of those were local .meta/*.yaml sidecars from the audit — actual S3 object count was 74, matching what was migrated)
• Verified via wrangler r2 object get + sha256: 4/4 spot checks (Data_Translation10.jpg, Articles.png, site/social-icons/twitter.svg, fonts/nowayround-regular-webfont.woff2) byte-for-byte match against local source
• Triple-match confirmed: local file == live S3 (via assets.raydata.co/CloudFront) == R2 for Data_Translation10.jpg (sha256 66ef7c98a18822b4591a64073613a1a3b62a4270854758ed8fcf3a3990108c63)
• Public access (Path A) enabled at https://pub-6e5ec3f864c04bdaa44a3a9f1853f774.r2.dev — verified 200 OK + correct content-type on jpg/png/svg via curl
• Worker stub (Path B) drafted at ~/cloudflare-workers/raydataco-assets/ (wrangler.toml + src/index.js + README); not deployed — needs raydata.co Cloudflare zone (Phase 7)
• Content-types set per-extension on upload (image/jpeg, image/png, image/svg+xml, font/woff2, font/woff, font/ttf, application/vnd.ms-fontobject)
• Cost saved: $0/mo immediate (CloudFront still serving until Phase 7 cutover; R2 free tier covers 25 MB easily — free tier is 10 GB-month storage + 1M Class A ops/mo)
• Source S3 bucket raydataco UNTOUCHED — cutover (CloudFront delete + S3 delete) is Phase 7 after DNS swap

Phase 2 — SimpleAD chain destruction (DONE 2026-04-20)

• SimpleAD d-906765a3e9 (corp.amazonworkspaces.com, Active since 2021-01-18): delete submitted 2026-04-20T02:16:00Z, gone by 2026-04-20T02:19:35Z (~3m35s)
• NAT Gateway nat-029bb372328ed8249 (in vpc-032085b8f73ae1b51 / databricks-WorkerEnv): delete submitted 2026-04-20T02:16:02Z, state=deleted by 2026-04-20T02:17:18Z (~1m16s)
• EIP 44.211.106.158 (alloc eipalloc-09a8e2619dcf2ea44): released 2026-04-20T02:17:24Z (synchronous)
• Orphan VPCs deleted (4 of 4 — us-east-1 had NO default VPC):
  • vpc-08e94e731c29d150b (172.16.0.0/16, SimpleAD VPC) — 2 subnets, 1 IGW, 1 SG, 1 RTB, 0 endpoints
  • vpc-d71520b2 (10.0.0.0/16, “Lab”) — 1 subnet, 0 IGW, 1 SG (forgeLabs), 0 endpoints
  • vpc-032085b8f73ae1b51 (10.138.0.0/16, “databricks-WorkerEnv”) — 7 subnets, 1 IGW, 2 SGs (dbe-worker), 1 S3 gateway endpoint, 1 RTB
  • vpc-57d5c635 (10.0.0.0/16, no Name) — 2 subnets, 0 IGW, 2 SGs (forge, launch-wizard-1), 0 endpoints
• Pre-flight cross-service check: 0 ALB/NLB, 0 Classic ELB, 0 RDS, 0 EFS, 0 TGW attachments, 0 VPN connections, 0 VPC-attached Lambdas — fully clean teardown
• Final state (us-east-1): 0 directories, 0 NAT gateways, 0 EIPs, 0 VPCs
• Cost saved: $74/mo from next bill cycle ($37.24 SimpleAD + $37.20 NAT/EIP)
• Total wall-clock: ~15 minutes (02:15:29Z → 02:30:31Z)
• Notable: us-east-1 had NO default VPC at start, so all 4 non-default VPCs were torn down. AWS will auto-recreate a default VPC the next time anything in the account touches us-east-1 — that’s expected, harmless, and not a cost.

Phase 3 — Quick S3 deletes (DONE 2026-04-20)

• baw-site: deleted (12 MB freed)
• baw-stitch-csv: deleted (12 KB freed)
• baw-img: deleted (1.1 MB freed)
• elasticbeanstalk-us-east-1-091141868335: SKIPPED — bucket policy contains an explicit Deny on s3:DeleteBucket for all principals (statement Sid eb-58950a8c-feb6-11e2-89e0-0800277d041b, baked in by Elastic Beanstalk at 2013-12-17 creation). To delete, must first aws s3api delete-bucket-policy --bucket elasticbeanstalk-us-east-1-091141868335 then re-run the delete. Cost is $0 either way; deferring to a follow-up so this stays a clean Phase 3.
• db-749db…-s3-root-bucket: deleted (was empty bar 1 directory marker)
• Total freed: ~13 MB (4 of 5 buckets)
• Cost saved: pennies/mo (storage was negligible)
• All contents preserved at ~/aws-bucket-inspect/ for audit trail

2026-04-19 — Phase 1 deletes

CloudFront benjaminandrewwilson.com (DONE)

• Distribution E3F713M5HGF09 (alias assets.benjaminandrewwilson.com, S3 origin baw-img.s3.amazonaws.com, no OAI): disabled at 2026-04-20T01:53Z, deleted at 2026-04-20T01:56:22Z
• ACM cert arn:aws:acm:us-east-1:091141868335:certificate/5cdd4de8-996d-4048-8337-c08725282b19 (assets.benjaminandrewwilson.com, EXPIRED): deleted 2026-04-20T01:57Z
• ACM cert arn:aws:acm:us-east-1:091141868335:certificate/06d4ec55-59a2-47c6-9ca1-8543df49c620 (cdn.benjaminandrewwilson.com, EXPIRED): deleted 2026-04-20T01:57Z — bonus cleanup, was orphaned (no associated distribution)
• OAI: none used (distribution pulled directly from public S3 bucket baw-img)
• Cost saved: $0/mo (was already free tier; this is a cleanup, not a cost win)
• Time elapsed: ~5 minutes wall-clock (CloudFront propagation: 3 min)
• Note: S3 bucket baw-img.s3.amazonaws.com is still present — not part of this teardown. Surface for next phase if it should also be emptied/deleted.

Headline

Ray Data Co’s AWS spend ($71/mo) is 96% pure waste: a forgotten SimpleAD Directory Service from a 2021 Amazon WorkSpaces experiment ($37/mo), and the NAT Gateway + EIP that supports its VPC ($33/mo). No WorkSpaces are deployed. No EC2 is running (4 instances are all stopped t1.micro from 2014-2015). Everything else — Route 53 ($0.54/mo), S3 ($0.01/mo), CloudFront ($0), Lambda ($0), SES (idle) — is rounding error. Kill the Directory Service and the NAT Gateway today and the bill drops to ~$1/mo. The Cloudflare migration is then trivial: 1 Route 53 zone (26 records) → Cloudflare DNS, ~600MB across 8 S3 buckets → R2 (or just download to local archive), 1 CloudFront distribution serving an old benjaminandrewwilson.com asset domain → likely just delete. Total post-migration AWS dependency: zero.

Account: 091141868335. Authenticated as root (short-term, per founder).

Cost Explorer breakdown

Last 3 months by service (USD):

Notes:

• AWS reports VPC EIP charges separately from “EC2 - Other” in some views; combined they are the NAT Gateway cost.
• The full Mar 2026 month was $74.99; Apr is on track for ~$71-73. Founder’s “$70/mo” estimate is correct.
• Jan partial month was 12 days (post 2026-01-19), which is why the totals are smaller — pro-rates to $77/mo.
• Most recent 4-5 days are flagged "Estimated": true by AWS — daily run rate is consistently $2.30-$2.50/day across Apr.

Daily run rate (Apr 14-18, post-estimate window):

• Directory Service: $1.07-$1.35/day (~$36/mo)
• EC2-Other (NAT GW): $1.08/day flat (~$32/mo, exactly the per-hour NAT pricing $0.045 * 24)
• VPC (EIP): $0.12/day (~$3.60/mo, EIP unattached or attached-but-billed)
• Everything else combined: <$0.005/day

Top 5 cost drivers, monthly:

1. AWS Directory Service (SimpleAD corp.amazonworkspaces.com) — $37.24/mo
2. EC2 NAT Gateway in vpc-08e94e731c29d150b — $33.48/mo
3. Amazon VPC EIP 44.211.106.158 — $3.72/mo
4. Amazon Route 53 (raydata.co. zone) — $0.54/mo
5. Amazon S3 (8 buckets) — $0.014/mo

Resource inventory

Directory Service — THE cost driver

This is leftover from an Amazon WorkSpaces experiment in 2021. No WorkSpaces are deployed. Nothing depends on it. Pure waste at $37/mo, $444/yr.

EC2 / NAT Gateway / EIP — second cost driver

The NAT Gateway lives in vpc-08e94e731c29d150b — the same VPC as the Directory Service. There is no EC2, Lambda, or other compute in that VPC consuming NAT egress. It’s running purely to support the Directory Service, which itself supports nothing.

The 4 stopped EC2 instances from 2014-2015 are zero-cost (stopped instances aren’t billed for compute) but are vestigial — terminate them for cleanliness.

Route 53

• 1 hosted zone: raydata.co. (Z06829061A1PWB3KEA562)
• 26 record sets: A, MX, NS, SOA, TXT, plus assets.raydata.co, newsletter.raydata.co, sc.raydata.co, send.raydata.co, www.raydata.co, and DKIM/DMARC records for _amazonses, resend, google, cka (ConvertKit), pm-bounces (Postmark)
• Cost: $0.50/mo per zone + $0.04/mo for queries = $0.54/mo
• This is the only thing in the AWS account that’s actually load-bearing for Ray Data Co operations.

S3

8 buckets, total ~603 MB across ~955 objects:

Total: ~604 MB. Per S3 standard storage at $0.023/GB = $0.014/mo. Effectively free.

CloudFront

1 distribution:

Serves benjaminandrewwilson.com assets. Not Ray Data Co. Disable + delete unless founder still wants benjaminandrewwilson.com images served.

Lambda

1 function in us-east-1:

Zero-cost (no invocations), runtime is deprecated, function definitely not running. Delete.

SES

• Production access: enabled
• Send rate: 14/sec, 50K/day quota
• Sent in last 24h: 0 (clearly migrated off SES — newsletter sends now go through Resend per the DKIM records)
• Cost: $0/mo

RDS

• 0 instances. Good.

Directory Service / WorkSpaces

• 1 directory (above), 0 WorkSpaces.

IAM users

After migration, all of these except claude-rdco (and that one too, eventually) can be deleted.

VPCs

• vpc-08e94e731c29d150b (172.16.0.0/16) — the Directory Service VPC. Delete after Directory Service.
• vpc-d71520b2 (10.0.0.0/16) — likely default VPC, classic-era.
• vpc-032085b8f73ae1b51 (10.138.0.0/16) — unknown.
• vpc-57d5c635 (10.0.0.0/16) — unknown, classic-era.

None contain billable resources. Delete after EC2 cleanup.

Migration plan

Estimated post-migration AWS cost: $0/mo. Estimated savings from steps 1+2 alone: ~$70/mo, ~$840/yr.

Sequence rationale:

1. Kill Directory Service first — biggest dollar item, nothing depends on it.
2. Kill NAT Gateway + EIP second — they only existed to support Directory Service.
3. Migrate DNS to Cloudflare — only thing actually serving Ray Data Co traffic.
4. Sync raydataco bucket to R2 (or just download).
5. Archive other S3 buckets to local backup, then delete buckets.
6. Decide CloudFront/benjaminandrewwilson.com fate (separate decision — that’s a personal site).
7. Delete remaining EC2 (terminate the 4 stopped instances), VPCs, IAM users.
8. Close AWS account.

Kill list (no migration needed, just delete)

These items are running and costing money (or cluttering the account) with no current value to Ray Data Co:

1. AWS Directory Service d-906765a3e9 (corp.amazonworkspaces.com) — $37/mo. Created 2021-01-18 for an Amazon WorkSpaces experiment; no WorkSpaces exist. Pure waste.
2. NAT Gateway nat-029bb372328ed8249 — $32/mo. Lives in the Directory Service VPC. Nothing else uses it. Delete after Directory Service.
3. Elastic IP 44.211.106.158 (eipalloc-09a8e2619dcf2ea44) — $3.60/mo. Attached to the doomed NAT Gateway. Release after NAT delete.
4. EC2 instances i-4bc82865, i-c148c320, i-f03fe601, i-97838266 — $0/mo (stopped) but vestigial t1.micro from 2014-2015. Terminate.
5. Lambda AWSIOTButton — $0/mo. Node 4.3 (long-deprecated runtime), last modified 2016. Dead.
6. S3 bucket db-749db465a3f4c8db38e23f436ba21692-s3-root-bucket — empty. Delete.
7. S3 bucket elasticbeanstalk-us-east-1-091141868335 — basically empty (1 zero-byte object). Delete.
8. S3 bucket baw-stitch-csv — 3 tiny CSVs from 2019 ETL. Almost certainly dead — confirm with founder, then delete.
9. IAM user sendy — Sendy newsletter app from 2015, long since replaced by ConvertKit/Resend.
10. VPCs vpc-d71520b2, vpc-032085b8f73ae1b51, vpc-57d5c635 — empty leftovers. Delete after EC2 cleanup.

Open questions for founder

1. The raydataco S3 bucket has 151 objects (~25 MB) — do you know what’s in it? Best guess: old marketing assets / brand files. If yes, migrate to R2 or download to local. If no idea, I can list the keys for you.
2. The baw-* and measured-improvement S3 buckets are clearly from your benjaminandrewwilson.com / Measured Improvement era. Want them archived to local backup before deletion, or just nuke them?
3. CloudFront assets.benjaminandrewwilson.com — is benjaminandrewwilson.com still a live site you want to keep serving? If yes, migrate to Cloudflare. If no, kill the CloudFront + the baw-* S3 buckets together.
4. Confirmation on Directory Service — do you have any memory of why this exists? I’m 95% sure it’s the leftover of a 2021 Amazon WorkSpaces trial (the directory is named corp.amazonworkspaces.com, the timing matches), and zero WorkSpaces are currently deployed against it. But if there’s any chance you’re using it for something I can’t see, say so before I recommend you pull the trigger.
5. IAM user aws-baw — created 2015, has long-lived access keys somewhere. If those keys are sitting in an old .env file or password manager from your benjaminandrewwilson.com days, rotate or delete them as part of the cleanup.

Migration log

baw-east → iCloud Drive (DONE 2026-04-20)

• Source: AWS S3 bucket baw-east (200MB, 99 files, 2016 wedding photos)
• Destination: /Library/Mobile Documents/comapple~CloudDocs/baw-east-2016-archive/
• iCloud sync: triggered, async upload in progress
• MANIFEST.md filed in destination folder with rollback notes
• Source S3 bucket DELETION DEFERRED pending founder confirmation in morning (founder originally requested Photos.app — iCloud Drive used as zero-touch alternative)