Skip to main content
emnode / learn

Lesson Plan Builder · sample report

Your AWS, read out loud.

Generated from 3 CSVs, 18,816 rows, parsed locally in 11.3 seconds. Nothing here left your laptop.

acme-prod · 4 accounts · May 2026
Monthly spend
$48.2k
+2.6% vs last month · within plan
Savings found
$11.6k/mo
across 6 opportunities · ~24% of bill
Security posture
72/100
2 critical findings · 7 total
Tailored lessons
14
built into 3 learning paths

01 · Where your money goes

Two services account for half the bill.

EC2 and RDS together are 53% of spend. Storage (S3 + EBS) is another 21%. Egress is louder than it looks.

Spend by service · last 30 days

$48,231 total
EC2 $16,820 · 35%
RDS $8,940 · 19%
S3 $5.3k
EBS $4.9k
Data Transfer $4.3k
Lambda $2.2k
CloudWatch $1.8k
Other $3.9k
EC2 · $16.8kRDS · $8.9kS3 · $5.3kEBS · $4.9kData Transfer · $4.3kLambda · $2.2kCloudWatch · $1.8kOther · $3.9k

Monthly trend · 12 months

all accounts
$48.2k ↓ 1.2%
JunAugOctDecFebApr

02 · Biggest opportunities

Six fixes. $11.6k/month back.

Ranked by monthly impact. Each links to the lesson that walks you through the fix.

01

Buy a 1-year Compute Savings Plan at $9/hr

Steady baseline on 4 prod accounts justifies a no-upfront commitment.

$3,120 / month Med effort Fix it 02

Right-size 31 over-provisioned EC2 instances

p99 CPU <12% for 30 days. Drop one size, save without risk.

$2,480 / month Med effort Fix it 03

Add S3 Lifecycle policy to logs-archive bucket

84TB of objects untouched >90 days, still Standard tier.

$1,810 / month Low effort Fix it 04

Migrate 218 gp2 volumes to gp3

Same performance, ~20% cheaper · online change.

$1,640 / month Low effort Fix it 05

Retire 4 idle RDS instances

Zero connections for 30+ days; running anyway.

$1,310 / month Low effort Fix it 06

Eliminate NAT Gateway egress for VPC endpoints

S3 + DynamoDB egress flowing through NAT instead of free VPC endpoints.

$1,280 / month Low effort Fix it

03 · Security posture

Two criticals to clear today.

Scored against the CIS AWS Foundations Benchmark plus SOC 2 control mapping. Critical items first.

Posture score

CIS · SOC 2
72/100
Good

Two critical findings drag the most. Clear them and you're back to 82 / 100.

0 to 49 50 to 74 75 to 100

Top risks · ranked by severity

7 findings
Critical

Public S3 bucket with PII

logs-prod-archive · 4.2M objects · public-read ACL

Learn Fix it
Critical

Root account access keys exist

Account 938...: 2 active root keys, last rotated 491 days ago

Learn Fix it
High

Unencrypted RDS instances (3)

prod-db, prod-analytics, staging-search, no KMS encryption

Learn Fix it
High

Overly permissive IAM policies (12)

*:* policies attached to 12 roles, including 4 service accounts

Learn Fix it
Medium

CloudTrail not enabled in 2 regions

eu-central-1, ap-south-1: coverage gap

Learn Fix it
Medium

Security groups allowing 0.0.0.0/0

8 SGs allow inbound from anywhere on non-public ports

Learn Fix it
Low

MFA missing on 5 IAM users

All low-traffic admin users; programmatic-only

Learn Fix it

04 · Your learning path

Three tracks built from your data.

These aren't generic playlists. The lessons here are queued up because your CSVs said so.

$3,450 / month potential

Cut your storage bill

Storage is your second-biggest line. Six steps to take it down ~26%.

1 Migrate EBS gp2 → gp3 11 min 2 S3 storage classes, ranked by ROI 8 min 3 Retire idle RDS instances 7 min
Start the path
Audit ready

Lock down access

Critical security findings first. The audit-readiness path.

1 S3 public access defence 8 min 2 IAM least privilege in practice 13 min 3 Encryption at rest, beyond the checkbox 10 min
Start the path
$5,600 / month potential

Right-size your compute

Two-thirds of your bill is EC2 + RDS. Read the signals, propose changes, defend the savings.

1 Rightsizing EC2 without a war room 9 min 2 Compute Savings Plans, decoded 14 min 3 The NAT Gateway tax 12 min
Start the path

emnode, the platform

Get this every day, across every account.

emnode tracks cost, savings and security posture continuously across every account, turning each finding into a guided fix. Same lessons, baked into the product.

See emnode Book a 20-min demo
7 days
from signup to first guided fix shipped to production
131 lessons
routed to the right person at the right moment