Cost

Deregister unused AMIs and their snapshots

AMIs are free; the EBS snapshots backing them aren't — clean up years of forgotten golden images.

13 min·10 sections·AWS

Last reviewed 27 May 2026

Unused AMIs: the basics

What does "unused" mean and why does it cost anything?

An Amazon Machine Image (AMI) is a template for launching EC2 instances. The image itself — the manifest, the kernel pointer, the block-device mapping — costs nothing to keep around. What does cost money is what sits behind it: one or more EBS snapshots, billed per GB-month of stored data, for every volume the AMI was built from.

A multi-volume golden image — root disk plus a few data disks — can easily have three or four snapshots attached to it. At roughly $0.05 per GB-month, a 100 GB AMI quietly bills $5 a month, a 500 GB multi-volume AMI bills $25-30 a month, and a fleet that has accumulated hundreds of forgotten AMIs over five years of CI builds is paying real money for images that nobody has launched in years.

The wastage signal is simple: the AMI hasn't been used to launch an instance for N days, where N is usually 90 or 180. The wastage checker doesn't care about the per-AMI dollar amount — individually they look like rounding errors. It cares about the compound bill across the long tail. Real findings flag AMIs created 1,400 to 1,800 days ago that nobody can name a purpose for.

In this lesson you'll learn how to identify genuinely unused AMIs, why deregistering an image is only half the cleanup job, where the "orphaned snapshot" trap hides, and how to spot the AMIs you absolutely must not touch — the ones still referenced by Launch Templates, Auto Scaling Groups, CloudFormation stacks, AWS Backup vaults, or Image Builder pipelines. You'll see the exact CLI calls to inventory, classify, and safely clean up, plus the policy you need so this doesn't happen again.

Fun fact

The orphaned snapshot bill

Deregistering an AMI does not delete the EBS snapshots it points to. AWS made that deliberate — they don't want you accidentally losing your backups when you tidy up an image. The consequence is a classic FinOps trap: a team runs aws ec2 deregister-image in a loop, congratulates itself for the cleanup, and the next month's bill is identical. The snapshots are still sitting in aws ec2 describe-snapshots, owner-id is still you, and the storage charge keeps ticking. Most multi-year AWS accounts have orphaned snapshots that have outlived the AMI that created them by literal years.

AMI cleanup in action

Nina has just inherited an AWS account from a team that shipped a product five years ago. The wastage report flags 312 unused AMIs in one region alone, with creation dates ranging from 400 to 1,780 days old. Total backing snapshot storage: 11.4 TB.

She doesn't trust the "unused" label on its own — the previous team built a habit of keeping a single "DR golden image" per quarter for compliance. Some of these AMIs are genuinely abandoned CI artifacts; others might be load-bearing. She needs to separate the two before she deletes anything.

Her plan is three passes: enumerate, filter by reference (Launch Templates, ASGs, CloudFormation, Image Builder, Backup), then deregister + delete-snapshot for anything that survives both filters and is older than 180 days with no Keep tag.

First, list every AMI owned by the account along with creation date and the snapshot IDs it references.

$ aws ec2 describe-images --owners self --query 'Images[].{ID:ImageId,Created:CreationDate,Name:Name,Snaps:BlockDeviceMappings[].Ebs.SnapshotId}' --output table

---------------------------------------------------------------------------------------------

| DescribeImages |

+------------------------+---------------------------+--------------------------------+

| Created | ID | Name |

+------------------------+---------------------------+--------------------------------+

| 2021-06-14T03:11:09Z | ami-0a1b2c3d4e5f6a7b8 | ci-build-prod-2021-06-14 |

| 2022-02-22T01:04:51Z | ami-09f8e7d6c5b4a3210 | app-server-golden-2022-02 |

| 2024-11-08T18:42:17Z | ami-0123456789abcdef0 | packer-bake-prod-2024-11-08 |

| 2026-04-30T07:00:00Z | ami-0fedcba9876543210 | app-server-golden-current |

+------------------------+---------------------------+--------------------------------+

# 312 rows total. The 2021 and 2022 rows are over 1,000 days old.

Account inventory of self-owned AMIs with creation dates.

Before deleting anything, check which AMIs are still referenced by something that could launch them tomorrow — Launch Templates, ASGs, and any active Image Builder pipeline.

$ aws ec2 describe-launch-template-versions --launch-template-id lt-0abc123def456 --query 'LaunchTemplateVersions[].LaunchTemplateData.ImageId' --output text

ami-0fedcba9876543210

ami-0123456789abcdef0

ami-09f8e7d6c5b4a3210

# That last one is 1,178 days old — still wired into the prod launch template.

# Do NOT deregister. Investigate why an old AMI is still referenced before touching it.

Cross-referencing the inventory against active Launch Template versions.

Deregistration under the hooddeep dive

An AMI is a thin metadata record: a manifest pointing at one snapshot per block device, a kernel/ramdisk pair (for paravirtual images), architecture, virtualization type, and ENA/SR-IOV flags. aws ec2 deregister-image deletes that manifest. After deregistration the image-id is no longer launchable and disappears from describe-images — but the underlying EBS snapshots remain owned by your account and continue to bill at the standard snapshot rate.

EBS snapshot pricing is per GB-month of changed data, deduplicated against earlier snapshots of the same volume. The first snapshot of a 100 GB volume is roughly 100 GB billable; subsequent snapshots only bill the delta. That delta-dedup is the reason naively counting snapshot sizes overestimates the bill, and the reason deleting a single snapshot in a chain can briefly increase the cost of the next one as AWS rebalances the storage references behind the scenes.

Once an AMI is deregistered, AWS gives you no built-in way to associate the snapshots back to the image. The link is gone. The only forensic trail is the snapshot's Description field, which usually contains text like Created by CreateImage(ami-0a1b2c3d4e5f6a7b8) — that's how cleanup scripts identify orphans. If a previous engineer deregistered images without saving the snapshot IDs first, you can still recover them by scanning descriptions and matching the embedded ami-id.

# Two-step cleanup: deregister the AMI, then delete each snapshot it referenced.
IMAGE_ID=ami-0a1b2c3d4e5f6a7b8

# 1. Capture the snapshot IDs BEFORE deregistering — afterwards the link is gone.
SNAPSHOTS=$(aws ec2 describe-images --image-ids $IMAGE_ID \
  --query 'Images[].BlockDeviceMappings[].Ebs.SnapshotId' --output text)

# 2. Deregister the AMI.
aws ec2 deregister-image --image-id $IMAGE_ID

# 3. Delete each backing snapshot.
for snap in $SNAPSHOTS; do
  aws ec2 delete-snapshot --snapshot-id $snap
done

What is the impact of carrying years of unused AMIs?

The direct bill is small per AMI and large in aggregate. A single 100 GB AMI costs ~$5/month in snapshot storage; a 500 GB multi-volume golden image costs $25-30/month. An account with 300 unused AMIs averaging 200 GB across two snapshots each is silently burning roughly $6,000 a month — $72k a year — on images nobody can name the purpose of.

The second-order impact is operational. Every AMI in the account is a candidate to be launched by an outdated Launch Template version or a stale CloudFormation stack drift. Some of those AMIs predate critical security patches. A junior engineer running aws ec2 run-instances --image-id <old-ami> will happily spin up a six-year-old, unpatched Ubuntu image — and the AMI being present in the account is what makes that possible.

On the FinOps reporting side, AMI/snapshot spend almost always lands in an "unallocated EBS" or "misc storage" line on the cost report. Teams look at it once a year, shrug, and move on. Cleaned up properly, that line becomes legible — and the EBS storage row in your cost-by-service breakdown starts matching what's actually running in production.

On the regulatory side, retaining AMIs forever without a documented retention policy fails most audit frameworks (SOC 2, ISO 27001, HIPAA). "We keep every AMI we've ever built" is not a backup strategy — it's the absence of one. A real policy says "DR golden image every quarter, retained for 13 months, tagged Keep=DR," and everything else is cleaned up on a 90-day rolling window.

How do you clean up AMIs safely?

AMI cleanup is a four-step loop. Skip the reference check and you take down a recovery flow; skip the snapshot delete and you've achieved nothing.

1. Inventory and age every AMI

Run describe-images --owners self per region and capture creation date, name, tags, and the full list of backing snapshot IDs. Snapshots are owned by the account, not the AMI, so capturing IDs before you deregister anything is the difference between a clean cleanup and a forensic recovery exercise later. Persist the inventory — a flat JSON in S3 is enough.

2. Filter out in-use and intentionally-retained images

Cross-reference the inventory against every consumer that can launch an AMI: Launch Templates (all versions, not just $Latest), Auto Scaling Groups, CloudFormation stacks (AWS::EC2::Instance, AWS::EC2::LaunchTemplate resources), AWS Backup recovery points, Image Builder pipelines, and Systems Manager Parameter Store entries (/aws/service/ami-* patterns or your own custom params). Then exclude anything tagged Keep=DR or younger than your retention window. What's left is the safe-to-delete set.

3. Deregister, then delete the snapshots

Always two operations, always in that order. Deregister releases the AMI metadata; delete-snapshot reclaims the storage. A script that runs only the first step gives you the false satisfaction of a smaller AMI count and an unchanged bill. Run the loop in batches with a dry-run flag, log every deletion to CloudTrail (it does this automatically), and keep a 30-day quarantine period in a non-prod account before deleting if you're nervous.

4. Codify the retention policy

AMI/snapshot lifecycle is the kind of thing that drifts the instant nobody is looking. Use Amazon Data Lifecycle Manager (DLM) or AWS Backup lifecycle rules to auto-deregister and delete AMIs older than N days, with tag-based exclusions for Keep=DR and Compliance=*. Have CI pipelines that build AMIs (Packer, Image Builder) tag every artifact with BuildId, ExpiresAfter, and Pipeline so the cleanup script never has to guess what something is for.

# Safe deletion script: age > 180 days, no Keep tag, not referenced by any Launch Template.
CUTOFF=$(date -u -d '180 days ago' +%FT%TZ)

# Pull AMIs in use by any Launch Template version.
IN_USE=$(aws ec2 describe-launch-templates --query 'LaunchTemplates[].LaunchTemplateId' --output text \
  | xargs -n1 -I{} aws ec2 describe-launch-template-versions --launch-template-id {} \
    --query 'LaunchTemplateVersions[].LaunchTemplateData.ImageId' --output text \
  | sort -u)

# Candidate set: self-owned, old enough, not tagged Keep, not referenced.
aws ec2 describe-images --owners self \
  --query "Images[?CreationDate<'$CUTOFF' && !not_null(Tags[?Key=='Keep'])].{ID:ImageId,Snaps:BlockDeviceMappings[].Ebs.SnapshotId}" \
  --output json > candidates.json

# Review candidates.json against $IN_USE manually before running the loop below.
# jq -r '.[] | select(.ID as $i | $in_use | index($i) | not) | .ID + " " + (.Snaps | join(" "))' candidates.json \
#   | while read ami snaps; do
#       aws ec2 deregister-image --image-id $ami
#       for s in $snaps; do aws ec2 delete-snapshot --snapshot-id $s; done
#     done

Quick quiz

Question 1 of 5

You've identified 200 AMIs older than 180 days, with no Keep tag, that don't appear in any Launch Template, ASG, or CloudFormation stack. What's the right cleanup sequence?

Keep learning

Dig deeper into AMI lifecycle, EBS snapshot billing, and the AWS-native tools for automating this cleanup.

You've completed Deregister unused AMIs and their snapshots. You now know why the AMI itself is free, where the real storage bill hides, and the two-operation cleanup that actually reclaims the spend. The next time the wastage report flags a wall of AMIs created 1,500 days ago, you'll have a four-step loop — inventory, filter, deregister + delete-snapshot, codify the policy — ready to run without breaking a recovery flow.

Back to the library

Unused AMIs: the cost you're not seeing on any tagged line

EBS snapshot storage — the invisible charge that accumulates silently for years

An AMI is free to register, but every AMI is backed by one or more EBS snapshots that bill at roughly $0.05 per GB-month, continuously, whether or not anyone ever launches the image again. Because the charge surfaces as generic EBS snapshot storage rather than as a named AMI cost, it rarely gets flagged in standard cost reviews — it's the line that everyone rounds down and nobody cleans up.

The dollar arithmetic is straightforward to model. A 100 GB AMI with a single snapshot costs about $5/month; a 500 GB multi-volume golden image costs $25–30/month. Individually those are rounding errors. The finance problem is scale and duration: an account that has been building AMIs for four or five years, running CI pipelines that bake a new image on every deployment, can easily accumulate three hundred or more unused images and silently carry six thousand or more dollars a month in storage charges for artifacts nobody references.

The FinOps framing here is straightforward. This is pure waste — there is no upside to retaining an AMI that hasn't been launched in over 180 days and isn't tagged for intentional retention. The remediation is a cleanup plus a policy that prevents the accumulation from restarting. The finance contribution is to insist the organization has a documented AMI retention rule (how long, which exceptions, who approves them) so the storage line becomes predictable and manageable rather than a slow, invisible accumulator.

This lesson is for the finance partner who sees an EBS storage line that never seems to shrink and wants to understand why. It explains where unused AMI charges hide on the bill, how to model the cost per image (and in aggregate across hundreds), why cleanup requires two operations not one, and the retention policy decisions — which images to keep, how long, who approves exceptions — that turn a sprawling invisible cost into a predictable, manageable line. No CLI knowledge required.

Fun fact

The orphaned snapshot bill

How a finance partner approaches the AMI cleanup decision

Carlos is the finance partner sitting in on the quarterly cloud review. The platform team flags a wastage report with 312 unused AMIs across one region — 11.4 TB of snapshot storage that's been billing for years. His first question isn't 'delete them all' — it's 'what's the cost, and are any of these load-bearing?'

He pulls the dollar model quickly: 11.4 TB at $0.05/GB-month is roughly $570 a month, $6,800 a year, landing in an 'unallocated EBS' line nobody has ever actioned. That's the easy part. The harder question is whether any of these images are intentionally retained — DR golden images, compliance snapshots, anything tagged Keep. The team confirms four AMIs carry Keep=DR tags for the quarterly compliance archive; the other 308 are CI artifacts nobody has referenced in over 18 months.

Carlos's framing for the review: the 308 candidates are unambiguous waste, and deleting them is a budget line item, not a risk decision. The four DR images stay, and they document why — the audit trail matters more than the storage cost. For the future, he asks for a retention policy: build pipelines should tag artifacts with an expiry, and anything older than 90 days without a Keep tag should be auto-deleted. That turns a one-time cleanup into a managed cost.

Why AMI sprawl is a budget problem, not just a hygiene one

The direct cost impact is easy to quantify but easy to miss because it hides on a generic storage line. EBS snapshot storage at $0.05/GB-month doesn't look alarming at the level of any single AMI — a 200 GB image is $10/month. The finance problem is the long tail: an account running active CI pipelines for four years may have hundreds of images it has never cleaned up, and the aggregate can reach five or six figures annually. That money is being spent on data the organization has no business reason to retain.

This is one of the cleanest cases in cloud cost optimization — it is unambiguously waste. Unlike compute rightsizing (where you trade off performance) or Multi-AZ databases (where you trade off resilience), unused AMIs provide zero ongoing value. The cost is real, the benefit of keeping them is zero, and the risk of deleting them — once you have verified they are genuinely unused and not referenced by any live system — is also close to zero.

The finance contribution is two things: first, ensure that a cleanup generates a forecast and a measured saving, not just an engineering task that disappears into a sprint. Model the monthly saving before and after; track it on the bill for 60 days to confirm it materialized. Second, require that any intentional exception — a DR image, a compliance snapshot — is a recorded, budgeted line, not an undocumented survivor. If the organization carries twenty retained AMIs at a total of $300/month, that should be an approved, named line on the cloud budget, not anonymous background noise.

What finance can do to make AMI cleanup stick

Finance can't run deregister-image, but it controls the framing and the governance loop that prevents the problem from recurring. Four practical levers.

1. Quantify before and after — make the saving visible

Before the cleanup runs, pull the total snapshot storage cost attributable to images older than 90 days with no Keep tag. That's the target saving. After the cleanup, track the EBS storage line for 60 days to confirm the saving materialized. If it doesn't, the snapshot deletes were missed — the two-step cleanup (deregister + delete-snapshot) wasn't completed. Measuring the outcome is the only way to confirm the engineering work actually reclaimed the spend.

2. Budget intentionally-retained images as a named line

Every AMI kept under a Keep tag should be a budgeted, named cost. DR quarterly golden images retained for 13 months, compliance-required snapshots, approved long-term archives — each should appear on the cloud budget with an owner and an estimated monthly cost. If the total retained AMI storage bill isn't a line you can point to and explain, you don't yet have control of the cost.

3. Make retention policy a recurring review item

AMI sprawl restarts the moment the policy isn't enforced. At the monthly or quarterly cloud cost review, include a count of images older than 90 days without a Keep tag. A stable or declining count means the policy is working. A growing count means the cleanup pipeline or the tagging discipline has slipped. This doesn't require deep technical audit — just a single metric on the review dashboard.

4. Require exceptions to be recorded and costed

When an engineering team asks to retain an image beyond the standard window, that should be an explicit request with a reason, an owner, a projected cost, and an expiry date. Not a silently applied tag. Finance's job is to make the implicit cost of exceptions visible — "you're asking to keep this for 24 months, which is an additional $X; that's approved, and we'll revisit it at the next review." Treating exceptions as auditable decisions is what separates a managed cost from a managed accident.

Quick quiz

Question 1 of 5

A cleanup of 280 unused AMIs was completed last month. The engineering team says it's done. You pull the cloud bill and the EBS storage line is unchanged. What's the most likely explanation?

Keep learning

Dig deeper into AMI lifecycle, EBS snapshot billing, and the AWS-native tools for automating this cleanup.

You've finished the finance partner's view of unused AMI cleanup. The key points: the cost hides on a generic EBS storage line, the per-AMI charge is small but the aggregate across years of build artifacts can be substantial, cleanup requires both deregistration and snapshot deletion to actually reclaim spend, and every retained exception should be a budgeted, named, reviewed decision. The next time this appears on the wastage report you'll know how to quantify it, how to verify the cleanup actually worked, and how to make the saving stick.

Back to the library

Unused AMIs: paying for archives nobody asked to keep

Years of forgotten build artifacts quietly billing as cloud storage

Every time an engineering team builds a new machine image — for a software release, a CI pipeline run, a server configuration change — AWS stores the artifact as paid cloud storage. The image itself is free; the underlying storage blocks are not. An organization that has been building images for several years without a cleanup policy is routinely paying tens of thousands of dollars a year to store images that nobody has used in years and that nobody can name the purpose of.

This is not a resilience trade-off or a cost-versus-risk decision — it's unmanaged accumulation. The fix is a retention policy: keep what the business needs (disaster-recovery images, compliance-required snapshots), clean up everything else on a rolling window, and make sure new build pipelines tag and expire their artifacts automatically. The leadership question is simply whether that policy exists and is enforced, or whether the account is silently billing for years of forgotten build history.

A brief read for the executive who wants the one-paragraph version: what unused AMIs are, why they cost money without anyone noticing, whether this is a risk-versus-cost trade-off or just unmanaged waste, and what the right governance posture looks like. The answer is that it's waste, the fix is a documented retention policy, and the leadership question is whether that policy exists and is being enforced.

Fun fact

The orphaned snapshot bill

What it looks like when the organization actually has a policy

At one company, the VP of Engineering was surprised to learn the organization was spending nearly $80,000 a year on EBS storage for machine images — mostly CI build artifacts that had accumulated over four years with no cleanup process. The cost had been invisible, sitting in a generic storage line that nobody owned.

After a one-time cleanup and a retention policy requiring that all new AMIs carry an expiry tag, the line dropped to under $5,000 a year — the cost of the images the company had deliberately decided to keep. The change took a few weeks of engineering time and a policy decision that took about an hour.

The leadership question this surfaces is simple: does the organization have a documented image retention policy, or is it accumulating storage charges for artifacts nobody chose to keep? The healthy state is a clean policy — keep DR and compliance images, expire everything else on a rolling window — with the cost of exceptions recorded and justified.

The headline impact of no AMI retention policy

The most direct impact is a silent, growing cloud bill. Without a retention policy, every machine image ever built sits in storage indefinitely, accumulating charges that no one owns and no budget line names. Organizations that have been running AWS for four or five years without cleanup routinely discover tens to hundreds of thousands of dollars of annual spend on images nobody can identify. It is among the cleanest forms of cloud waste — no trade-off, just accumulation.

The secondary impact is security posture. Old images almost always predate critical security patches. An image built three years ago is three years behind on OS updates. If that image is still launchable — and without cleanup it is — anyone with EC2 launch permissions can spin up an unpatched server from it. Deregistering the image removes that risk; a retention policy prevents it from coming back.

The governance impact is audit readiness. Retaining everything without a policy fails most audit frameworks. The auditor's question is simple: 'show me your image retention standard.' "We keep everything" is not a standard — it is the absence of one. The right answer is a documented policy with named retention windows, tag-based exceptions, and evidence the policy is being enforced. Getting there is a one-time effort that closes a compliance gap and removes an ongoing cost simultaneously.

The leadership posture on AMI retention

The executive handle on this is not cleanup mechanics — it's whether the organization has a documented retention policy that is actively enforced, and whether the cost of exceptions is on the record.

1. Require a documented retention standard

The organization should have a written rule: what gets kept, for how long, under what tag, and who approves exceptions. "We keep everything" is not a policy — it is the absence of one. A documented standard is what satisfies auditors, what prevents engineers from making inconsistent choices, and what makes cleanup automatable rather than a recurring manual decision.

2. Enforce it through automation, not discipline

A policy that depends on engineers remembering to tag things correctly will drift immediately. The durable implementation is automation: build pipelines that automatically tag new AMIs with an expiry date, and a lifecycle rule that deregisters and deletes images when the tag expires. Once that is running, the policy enforces itself without manual intervention.

3. Treat intentional exceptions as approved, costed decisions

Any image retained beyond the standard window should have a documented reason, an owner, and an estimated cost. That is the one-line question for the leadership review: are the retained images on the record, and does their cost match what was approved? If the answer is yes, the cost is governed. If no one can explain the retained image list, the cost is not governed — it's just accumulation that has been named.

Quick quiz

Question 1 of 5

The engineering team reports that the AMI cleanup is complete and the retention policy is now in place. What's the right signal to look for at the next quarterly review to confirm the policy is holding?

Keep learning

Dig deeper into AMI lifecycle, EBS snapshot billing, and the AWS-native tools for automating this cleanup.

That's the lesson. Two things to carry: unused AMIs are unambiguous waste — there's no resilience trade-off, just unmanaged accumulation — and the fix is a documented retention policy enforced through automation. The leadership question is whether the organization has that policy and whether it's running. If it is, the cost is governed. If it isn't, the account is accumulating charges for build artifacts nobody chose to keep.

Back to the library

Part of the learning path Cut your storage bill

Deregister unused AMIs and their snapshots

Unused AMIs: the basics

The orphaned snapshot bill

AMI cleanup in action

Deregistration under the hooddeep dive

What is the impact of carrying years of unused AMIs?

How do you clean up AMIs safely?

1. Inventory and age every AMI

2. Filter out in-use and intentionally-retained images

3. Deregister, then delete the snapshots

4. Codify the retention policy

Quick quiz

Keep learning

Unused AMIs: the cost you're not seeing on any tagged line

The orphaned snapshot bill

How a finance partner approaches the AMI cleanup decision

Why AMI sprawl is a budget problem, not just a hygiene one

What finance can do to make AMI cleanup stick

1. Quantify before and after — make the saving visible

2. Budget intentionally-retained images as a named line

3. Make retention policy a recurring review item

4. Require exceptions to be recorded and costed

Quick quiz

Keep learning

Unused AMIs: paying for archives nobody asked to keep

The orphaned snapshot bill

What it looks like when the organization actually has a policy

The headline impact of no AMI retention policy

The leadership posture on AMI retention

1. Require a documented retention standard

2. Enforce it through automation, not discipline

3. Treat intentional exceptions as approved, costed decisions

Quick quiz

Keep learning

Related cost lessons