Unused Resource Detection


Including Infrastructure as Code (IaC) in your architecture is a big step towards improving your operational efficiency and development speed. It allows you to solve issues in bulidtime, before they become effective in the cloud runtime environment. However, even if your organization fully manages its runtime infrastructure with IaC, there may be some IaC resources that were created in your default branch but were not deployed. There may not even be plans to deploy them in the future.

Spotting IaC resources that are not yet deployed is important for the following reasons:

  • Cost optimization: as long as the resource is not deployed, it does not incur any expenses. Therefore, identifying unused resources before they are deployed can help you avoid unnecessary expenses. If you have no intention of deploying them, you can delete them to avoid deployment by accident.
  • Improved organization: by identifying non-deployed resources, you can better organize and manage your infrastructure.
  • Improved security: unused resources can pose a security risk if not properly secured. By identifying them before they are deployed, you can ensure they are secured before they become a potential threat.

To meet those needs, Bridgecrew supports Unused Resource Detection. An unused resource is a buildtime resource that is not deployed to a runtime environment. The suggested fix for this use case is to review the unused resource and either deploy it or delete the code block, in order to avoid unnecessary deployments that might introduce additional costs or security risks.

By integrating both your CSP accounts and your repositories with Bridgecrew, you can discover unused resources that should potentially be deployed in the future. This way, you can verify that all of your resources are deployed as desired.
Currently, Bridgecrew enables the detection of unused resources for AWS, Azure and GCP.

Discovering Unused Resources in Bridgecrew

Info and fix suggestions for unused resources are available via the Projects and Policies pages.



To be able to access issues in unused resources on the Projects page, ensure the following:

  1. You have integrated your runtime accounts with Bridgecrew so that they can be scanned.
  2. You have integrated VCS repositories storing the relevant IaC files code for selected runtime accounts.
  3. You have Traceability enabled via yor_trace in your Terraform resources and deployed to your infrastructure. Unused resource detection is also supported for CloudFormation environments without yor_trace tagging and works out-of-the-box. For more details on how to enable traceability, see Traceability.

Unused Resources Findings

In the Projects page, the relevant policy for unused sources is: Ensure all buildtime resources are deployed to cloud runtime environments. You can access it by searching for it within a single repository.


Unused resource's issue box

Click the unused resource to view the Errors tab in its Resource Explorer pane.


Unused resource's Resource Explorer


You can use the Search function to find the Ensure all buildtime resources are deployed to cloud runtime environments policy, view its guidelines and add a suppression.