Cost

Clean up stopped EC2 instances with attached EBS

A stopped instance costs nothing, but its attached EBS volumes keep billing every hour — find them and decide before the bill compounds.

12 min·10 sections·AWS

Last reviewed 27 May 2026

Stopped instances with EBS: the basics

Why a 'stopped' EC2 instance is rarely free

Stopping an EC2 instance is the cloud equivalent of putting a laptop to sleep — the compute clock pauses, but the storage stays mounted. AWS bills EC2 hours and EBS storage on separate meters, and only the EC2 meter stops when you click Stop. Every gp3 volume still attached to that instance keeps accruing roughly $0.08 per GB-month for as long as it exists, whether the instance ever boots again or not.

The check flags an instance in the stopped state with one or more EBS volumes still attached. That's almost always the leftover of an experiment, a misnamed test box, a developer who quit, or a team that meant to come back "next sprint" and never did. A stopped instance with a 500 GB gp3 root volume is quietly $40 a month, every month, with no workload running on it.

It's flagged because the asymmetry surprises people. Engineers assume "stopped" means "free" and triage it accordingly — last. The longer it sits, the larger the cumulative bill, and the harder it gets to find anyone who can confidently say "yes, terminate that."

In this lesson you'll learn the EC2/EBS billing split that makes stopped instances surprisingly expensive, how to tell an abandoned instance from one that's legitimately paused, and the safe four-step pattern — snapshot, detach, delete, terminate — that lets you reclaim storage without destroying anything you might still need. You'll see the AWS CLI commands to audit a fleet, the edge cases that bite (RIs, instance store, encryption), and a tagging strategy that prevents the problem from coming back.

Fun fact

The 'temporary' instance that turned three

A platform team at a fintech ran an audit and found 412 stopped EC2 instances across their dev account. The oldest had last transitioned to stopped 1,147 days earlier — over three years. Its 200 GB gp2 root volume had quietly billed roughly $480 in storage with the instance never having booted again. The owner tag pointed to an engineer who had left the company in 2024. Total cleanup that quarter: $9,200 a month, all from volumes attached to instances that had been 'temporarily stopped' months or years before.

Cleaning up stopped instances in action

Nina runs the FinOps cadence at a mid-sized SaaS company. The dashboard flags 23 stopped EC2 instances with attached EBS, totalling about $340 of monthly wastage. The largest is a stopped m5.xlarge with a 160 GB gp3 root volume — $16 a month in storage, no compute charge, last booted in February.

She pulls the instance metadata to find the LastStateTransitionTime and the owner tag. The reason is User initiated (2026-02-14 11:42:01 GMT) and there's an Owner=preeti.k tag. She pings Preeti on Slack: "This i-0abc still needed?" The answer comes back in ten minutes — "Oh, that was a one-off load test. Definitely safe to nuke."

Nina doesn't terminate it blind. She takes a snapshot first (cheap insurance — $0.05/GB-month versus $0.08/GB-month for live storage), waits for completed, then terminates the instance with DeleteOnTermination=true on the volume. Total time: about four minutes; the snapshot stays in S3-backed storage in case Preeti needs to spin it back up in the next 90 days.

First, list every stopped instance with its attached volumes and the time it last transitioned to stopped.

$ aws ec2 describe-instances --filters Name=instance-state-name,Values=stopped --query 'Reservations[].Instances[].{Id:InstanceId,Type:InstanceType,Stopped:StateTransitionReason,Vols:BlockDeviceMappings[].Ebs.VolumeId}' --output table

----------------------------------------------------------------------------

| DescribeInstances |

+-------------+-------------+----------------------------+---------------+

+-------------+-------------+----------------------------+---------------+

+-------------+-------------+----------------------------+---------------+

# Two instances stopped 90+ days ago — strong abandonment signal.

Stopped-state inventory with the timestamp that exposes how long they've been parked.

Before terminating, snapshot the attached volume so you have a 30-90 day rollback path at a lower per-GB rate.

$ aws ec2 create-snapshot --volume-id vol-0aa11bb22cc33dd44 --description 'Pre-termination snapshot of i-0abc123 (load-test box, owner preeti.k)' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=ExpiresAt,Value=2026-08-15},{Key=Source,Value=i-0abc123}]'

{

"SnapshotId": "snap-0ff99ee88dd77cc66",

"VolumeId": "vol-0aa11bb22cc33dd44",

"State": "pending",

"VolumeSize": 160,

"Encrypted": true,

"StartTime": "2026-05-15T10:14:22.000Z"

}

# Snapshot inherits encryption from the source volume — no extra step needed.

Snapshot the volume first; at ~$0.05/GB-month it's cheaper than the live volume and gives you an undo.

Stopped instances under the hooddeep dive

Stopping an EBS-backed EC2 instance keeps the instance metadata (ID, ENI configuration, IAM role, security groups, tags) and the attached EBS volumes intact. The hypervisor releases the underlying physical capacity back to the pool — that's why you stop paying for vCPU and RAM hours — but the volumes remain in their AZ, persistent and writable on next boot. Public IPv4 addresses are released on stop unless you've allocated an Elastic IP; that's a separate billing concern.

EBS storage is priced per provisioned GB-month per volume type: gp3 at $0.08, gp2 at $0.10, io2 at $0.125 plus IOPS, st1 at $0.045, sc1 at $0.015 (all rough US-East rates). A stopped instance with a 100 GB gp3 root and a 500 GB gp3 data volume is $48 a month of pure storage cost — no compute, no network, just bytes sitting on a disk waiting for an instance that will probably never boot. Reserved Instances and Savings Plans don't help here; both apply to compute hours, not storage.

The two state details that matter for forensic analysis are StateTransitionReason (a human-readable string like User initiated (2026-02-14 11:42:01 GMT) set when the instance stopped) and the corresponding CloudTrail StopInstances event. Together they tell you when it stopped, who stopped it, and whether anyone has touched it since. Anything stopped more than 60 days with no subsequent StartInstances event is a strong abandonment signal.

# Pull the original Stop event from CloudTrail to confirm intent and ownership.
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=i-0abc123 \
  --max-results 5 \
  --query 'Events[?EventName==`StopInstances`].[EventTime,Username]' \
  --output table

# Confirm there's been no StartInstances event since — i.e. it's truly abandoned.
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=i-0abc123 \
  --lookup-attributes AttributeKey=EventName,AttributeValue=StartInstances \
  --max-results 1

What is the impact of stopped instances with EBS?

The direct cost is the EBS bill on volumes attached to instances that aren't doing anything. At gp3 rates a typical 100 GB root volume is $8 a month; a 500 GB data volume is $40 a month; a 2 TB analytics volume is $160 a month. Across a few hundred stopped instances in a long-lived dev account, that's $5–20k a month of pure waste, and the meter runs every hour regardless of whether the instance boots again.

There's a sneaky second-order cost too: snapshots. AWS will happily let you stop an instance, never come back to it, and then later replace the now-forgotten volume with a fresh one — leaving the original attached, billing, and invisible to anyone but a careful audit. Without lifecycle tags it's almost impossible to know which volumes are still load-bearing and which are orphaned remnants of past experiments.

Reserved Instances and Savings Plans introduce a third surprise. A Reserved Instance keeps billing on a stopped instance because the RI is a commitment to pay for the instance type whether you use it or not — stopped doesn't release the reservation. Dedicated Hosts are even more painful: the host fee continues even with zero running instances. Stopping a workload to "save money" while an RI is in flight saves you nothing on the compute side and still costs you on the storage side.

Finally, abandoned instances make incident response harder. Six months from now someone needs to roll back a customer to a known-good database snapshot, finds a candidate volume attached to a stopped instance, and has no idea whether it's safe to use. Cleaning these up isn't just a cost story — it's a hygiene story. A short list of stopped instances is much easier to reason about than a long one.

How do you clean up stopped instances safely?

Cleanup is a four-step loop that runs at every FinOps cadence: inventory what's stopped, confirm intent with the owner, snapshot-then-delete, and tag the survivors so this doesn't repeat.

1. Inventory every stopped instance with age and owner

Pull every stopped instance across every region and account into a single sheet with LastStateTransitionTime, Owner tag, attached volume IDs, volume sizes, and estimated monthly storage cost. Anything stopped more than 60 days is a candidate; anything more than 180 days with no Owner tag is almost certainly abandoned. Filter out anything labelled Lifecycle=long-paused or similar — those are deliberate.

2. Confirm intent with the owner before doing anything destructive

A two-line Slack message to the owner — "This instance has been stopped for 90 days; OK to terminate?" — surfaces 80% of the decisions in a day. For the remaining 20%, escalate to the team lead via the cost-allocation tag. Never auto-terminate without human sign-off on first run; build trust with the team before automating the destruction path.

3. Snapshot, then delete the volume, then terminate the instance

Take a snapshot of every attached volume (with an ExpiresAt tag 30-90 days out for safety net), wait for completed, then terminate the instance with the volume's DeleteOnTermination flag set to true. Snapshots are ~40% cheaper per GB than live volumes and give you a clean rollback path. For encrypted volumes the snapshot inherits the KMS key automatically — no extra step. For instance-store volumes (i3, c5d, etc.) there's nothing to snapshot; that data was already lost when the instance stopped.

4. Tag new instances with intent so the next audit is shorter

Adopt a simple two-tag convention: Lifecycle=ephemeral|persistent and ExpiresAt=YYYY-MM-DD. Enforce it with a tag policy or AWS Config rule. An EventBridge schedule can then automatically stop and snapshot ephemeral instances past their ExpiresAt, and the next month's report drops by half. The cleanup loop only stays manageable if new instances arrive pre-labelled.

# Bulk-snapshot every volume on a stopped instance, then terminate.
INSTANCE=i-0abc123
VOLS=$(aws ec2 describe-instances --instance-ids $INSTANCE \
  --query 'Reservations[].Instances[].BlockDeviceMappings[].Ebs.VolumeId' \
  --output text)

for v in $VOLS; do
  aws ec2 create-snapshot --volume-id $v \
    --description "Pre-termination $INSTANCE" \
    --tag-specifications "ResourceType=snapshot,Tags=[{Key=Source,Value=$INSTANCE},{Key=ExpiresAt,Value=$(date -u -d '+90 days' +%F)}]"
done

# Wait for all snapshots to complete before terminating.
aws ec2 wait snapshot-completed --filters Name=tag:Source,Values=$INSTANCE
aws ec2 terminate-instances --instance-ids $INSTANCE

Quick quiz

Question 1 of 5

You find an m5.xlarge stopped 120 days ago with a 200 GB gp3 root volume and a 1-year Reserved Instance still active for that instance type. What's the right next move?

Keep learning

Dig deeper into EC2/EBS lifecycle, billing mechanics, and the tooling around cleanup.

You've completed Clean up stopped EC2 instances with attached EBS. You now know why a stopped instance is rarely free, the four-step inventory-confirm-snapshot-terminate loop that reclaims storage safely, and the tagging convention that stops the problem from coming back. The next time the wastage report flags a stopped instance, you'll have a defensible path from "flagged" to "resolved" in under five minutes.

Back to the library

Stopped instances with EBS: what it means for the bill

A line item that keeps charging after the workload stops

When engineers say an EC2 instance is "stopped," most people hear "switched off, no longer costing money." That isn't how the bill works. AWS charges compute and storage on two separate meters — only the compute meter stops. The disk attached to the instance keeps billing every hour at the storage rate, around $0.08 per GB per month, until somebody actively deletes it. A team can stop a workload to save money and still see most of the cost continue showing up on the invoice.

This finding flags instances that have been parked in the stopped state but still hold their disks. In practice these are forgotten test boxes, old experiments, machines belonging to people who have changed teams or left the company, and projects that were paused "for a sprint" two years ago. Each one is a small fixed monthly charge — a 500 GB disk is roughly $40 a month — that recurs forever on no business activity. Across a few hundred of them, the number lands in five figures per month with nothing to show on the other side of the ledger.

From a budgeting and forecasting standpoint, this category is unhelpful in two ways. The cost is unpredictable on the way up — anyone can spin a workload and "pause" it — and sticky on the way down because nobody wants to be the person who deleted the disk that turned out to matter. The right framing is that stopped-with-storage is a governance and ownership signal, not just a cost signal: it means a resource has no clear owner accountable for the spend, and the longer it sits, the harder it becomes to attribute or charge back to a business unit.

This lesson is for the finance partner who sees "compute" on the cloud invoice and assumes that pausing a workload pauses the cost. It walks through why that assumption breaks, how the recurring cost behaves under your existing budgets and commitments, what a reasonable size for this category looks like, and the three things you can actually do — reporting, cadence, and ownership conventions — to keep it small without learning AWS internals. By the end you'll know what number to ask for at the monthly review and what to push engineering on when the number doesn't move.

Fun fact

The 'temporary' instance that turned three

How a finance partner closes the loop

Sam is the finance partner embedded with the cloud platform team at a mid-sized SaaS company. At the monthly cost review, the engineering lead is presenting a flat compute line and Sam asks one question that's now standard on the agenda: "How many stopped instances are still holding storage, and what's that costing us a month?" The number on the dashboard is $340 across 23 instances — small in absolute terms, but it's been roughly $340 every month for six months, so the cumulative is closer to $2,000.

The conversation that follows isn't technical. Sam doesn't ask which volume types, which regions, which AZs. She asks three things: who owns each one, how old it is, and whether anyone has touched it in the last 90 days. The engineering lead pulls up the report — every instance has an owner tag, the oldest is from February, no one has restarted any of them since. That's enough to act. Engineering commits to a clean-up sprint with a one-week deadline; Sam adds a recurring line to the next finance pack so the number can't drift back up unnoticed.

Two months later the same dashboard shows $40. Sam knows that's the right floor — a handful of genuinely paused workloads with sign-off — and she also knows that if the number creeps back above $200, ownership tagging is slipping somewhere and that's the conversation, not the dollar amount. The dollar amount is a leading indicator of a governance problem; the cleanup itself is almost incidental.

Why this matters to the budget, not just the bill

The direct line-item impact is small per resource and material in aggregate. A typical environment carries somewhere between a few hundred and a few thousand dollars a month in this category — call it 0.5–2% of total cloud spend. That's not enough to move quarterly numbers on its own, but it's enough that every month it lands in "unexplained variance" buckets when budgets are tight, and finance ends up chasing it across teams instead of focusing on the bigger commitments.

The more important impact is on commitment economics. If you're carrying Reserved Instances or Savings Plans against an EC2 family, stopping the workload doesn't release the commitment — you keep paying for the reserved capacity whether anything is using it or not. Storage attached to those same stopped instances continues to bill on the regular meter on top. So the very pattern that engineers reach for when "we need to save money on this workload for a few weeks" actually does nothing on the compute side and quietly accrues on the storage side. The commitment-utilisation number on your monthly report is the place this shows up; if it's below ~95%, this category is one of the first contributors to check.

The third impact is on chargeback credibility. When this category is large and untagged, it's the line item that breaks the chargeback model: the cost is real but it can't be assigned to a business unit because the resource has no clear owner. Every untagged dollar here is a dollar that has to be absorbed centrally or argued about in meetings. Cleaning these up is less about the dollar saving and more about making the chargeback report defensible.

Finally, it's a leading indicator. Sustained growth in this category month over month almost always means tagging policies are slipping or lifecycle conventions aren't being followed — both of which predict bigger waste categories (idle compute, oversized databases, unused load balancers) trending in the same direction six months later. Watch it as a signal, not a target.

What finance can actually do about this

Finance can't terminate cloud resources, but it can set the conditions under which the number stays small. Three levers, used together at the monthly cost cadence.

1. Put it on the monthly report as a standing line

Add "stopped resources still billing storage" as a recurring line on the cost-review pack, alongside the dollar amount and the count. The dollar amount is the headline; the count over 60 days old is the leading indicator. If either trends up two months in a row, that's the prompt to escalate — not the absolute size.

2. Make ownership tagging a precondition for budget approval

Whatever budget envelope each team operates under, the agreement should be that any untagged or unowned resource counts against the team's number regardless of who actually created it. That single rule does more for this category than any other intervention — it converts "clean up old infrastructure" from an engineering chore into a budget-protection activity teams care about on their own.

3. Bake a cleanup cadence into the FinOps operating model

Don't ask for one-off cleanup pushes; ask for a sustained discipline. A 30-minute monthly review per team, where they walk through anything in this category older than 60 days and either confirm or terminate, is enough to keep the number flat indefinitely. The cost of that cadence is small; the cost of doing it as an annual heroic effort is much larger and rarely actually happens twice.

4. Treat the trend as the metric, not the absolute number

It's normal for this category to have a residual — teams will legitimately pause workloads for weeks at a time. The right question isn't "why isn't this zero?" but "is it staying flat?" A flat $200 a month with clean ownership is fine; a growing $50-per-month is worse than a static $500, because it signals the underlying discipline is slipping.

Quick quiz

Question 1 of 5

The stopped-with-storage line has grown from $200 to $450 a month over six months. The total is small but the trend is up. As the finance partner, what's the right next move?

Keep learning

Dig deeper into EC2/EBS lifecycle, billing mechanics, and the tooling around cleanup.

You've finished the finance partner's view of stopped instances with EBS. You know why "stopped" is misleading on the invoice, why this category interacts with commitment economics and chargeback credibility, and what the three finance levers are — reporting cadence, ownership-as-a-budget-condition, and trend-not-absolute as the metric. Next time the line shows up at the monthly review, you'll have a sharper question to ask than "can we delete some of these?"

Back to the library

Stopped instances with EBS: the headline

Spend that keeps running on infrastructure no one is using

"Stopped" in cloud doesn't mean "off." When a workload is paused, the compute charge ends but the storage attached to it keeps billing month after month. The cumulative effect, at scale, is a recurring drag on the cloud bill from infrastructure the business has already stopped using.

This is fundamentally a hygiene and accountability issue. Every flagged resource represents money being spent on something with no clear owner and no active value. Cleaning them up is low-risk, immediate-saving work, and the more important outcome is the discipline it establishes: every running resource has an owner, a purpose, and an expiry date — not just a creation date.

A five-minute read on a small but stubborn category of cloud waste, written for the exec who wants the headline and the one question to ask their team. You'll get the rule-of-thumb framing, what this category typically signals about wider cloud hygiene, and what "good" looks like at an org level — no commands, no implementation.

Fun fact

The 'temporary' instance that turned three

What it looks like when the org gets this right

At one company, the quarterly cloud-cost review used to open with a slide that just said "$340/month of stopped-but-billing infrastructure across 23 resources." Small number, but it sat there every quarter, sometimes growing, never shrinking. The exec sponsor stopped asking about the dollar amount and started asking about the shape: "Why do we have any of these? Who is supposed to own this resource? Why is there no expiry date?"

Within two quarters the slide changed. The number was no longer the headline; the headline was "every active workload has a named owner and a documented review date." The $340 dropped to a residual $40 of intentionally-paused systems with sign-off, and the cleanup never had to be discussed again. The exec hadn't asked engineering to chase the dollars — she'd asked them to fix the absence of ownership the dollars were exposing.

That's the right outcome state for this category. "Zero stopped-with-storage" is the wrong goal; "every resource has an owner and a date" is the right one. The cost report stops being an action item and becomes a confidence signal.

Why this is on the report at all

The dollar amount in this category is usually small. The reason it's tracked is what its size and trend say about the discipline underneath. A small, flat number means the org has working ownership conventions and a normal cleanup cadence. A growing or large number means the inverse: resources are being created without clear owners or expiry, no one is closing the loop, and the same pattern almost certainly applies to bigger spend categories that won't show up on the dashboard as cleanly.

There's a second-order risk too. Forgotten infrastructure with stale ownership shows up as audit and security findings just as readily as it shows up as cost — old data sitting on disks attached to instances that nobody can confidently say belongs to anyone. So this category sits at the intersection of cost, security posture, and operational hygiene. Most CFOs care about the first, most CIOs about the second; both should care about the underlying pattern.

The leadership move on this category

The actionable handle for an executive isn't to drive the dollar number — it's to set the operating norms that make the number a non-issue.

1. Insist that every resource has a named owner

Not a team, not a system — a person, recorded at creation time and reviewed when people move teams. Most cloud waste compounds because ownership becomes ambiguous; making it unambiguous is the single highest-leverage policy.

2. Require an expiry or review date on creation

Every workload should carry a date by which someone is expected to either confirm it's still needed or let it be cleaned up. This converts the cleanup question from "is this safe to delete?" (which everyone avoids) to "is this still needed?" (which is much easier to answer).

3. Make this a confidence signal at the leadership review

Ask for the trend, not the dollar. "Is the stopped-with-storage line flat or growing?" is a one-minute item that tells you whether cloud governance is working without needing any technical depth. If the answer is "flat" for three quarters running, the underlying hygiene is healthy and the team can spend its attention on bigger things.

Quick quiz

Question 1 of 5

You're reviewing the cloud cost pack and see this category has been roughly flat for three quarters at around $300/month. Every resource has an owner tag. What's the right read?

Keep learning

Dig deeper into EC2/EBS lifecycle, billing mechanics, and the tooling around cleanup.

That's the lesson. Two takeaways worth holding onto: "stopped" doesn't mean "off" on a cloud bill, and the size of this category is a hygiene signal, not the headline. The leadership question is about ownership and review dates — not about the dollar amount.

Back to the library

Part of the learning path Right-size your compute

Clean up stopped EC2 instances with attached EBS

Stopped instances with EBS: the basics

The 'temporary' instance that turned three

Cleaning up stopped instances in action

Stopped instances under the hooddeep dive

What is the impact of stopped instances with EBS?

How do you clean up stopped instances safely?

1. Inventory every stopped instance with age and owner

2. Confirm intent with the owner before doing anything destructive

3. Snapshot, then delete the volume, then terminate the instance

4. Tag new instances with intent so the next audit is shorter

Quick quiz

Keep learning

Stopped instances with EBS: what it means for the bill

The 'temporary' instance that turned three

How a finance partner closes the loop

Why this matters to the budget, not just the bill

What finance can actually do about this

1. Put it on the monthly report as a standing line

2. Make ownership tagging a precondition for budget approval

3. Bake a cleanup cadence into the FinOps operating model

4. Treat the trend as the metric, not the absolute number

Quick quiz

Keep learning

Stopped instances with EBS: the headline

The 'temporary' instance that turned three

What it looks like when the org gets this right

Why this is on the report at all

The leadership move on this category

1. Insist that every resource has a named owner

2. Require an expiry or review date on creation

3. Make this a confidence signal at the leadership review

Quick quiz

Keep learning

Related cost lessons