AWS

The Hidden Cost of Unused Elastic IPs and NAT Gateways

June 10, 2026·4 min read·CloudBudgetMaster

Why Idle Elastic IPs and NAT Gateways Matter

Even seasoned engineers can overlook two inexpensive‑looking services that generate recurring charges: Elastic IP (EIP) addresses that are not attached to a running instance, and NAT Gateways that sit idle in a VPC. AWS bills an EIP at $0.005 per hour when it is not associated with an active instance, and a NAT Gateway incurs a $0.045 per‑hour hourly fee plus $0.045 per GB of data processed. Over a month, a single idle resource can add up to dozens of dollars – money that scales quickly across multiple accounts.

Identify Unattached Elastic IPs

The first step is to list every EIP in the account and see whether it is attached.

# List all Elastic IPs with their association status
aws ec2 describe-addresses \
    --query 'Addresses[].[AllocationId,InstanceId,PublicIp,Domain]' \
    --output table

The output shows three columns of interest: - AllocationId – the identifier you need to release the address. - InstanceId – blank when the EIP is unattached. - Domain – vpc for modern VPC‑scoped addresses.

Quick filter for idle EIPs

aws ec2 describe-addresses \
    --filters Name=instance-id,Values= \
    --query 'Addresses[].AllocationId' \
    --output text

If the command returns any AllocationIds, those EIPs are not bound to an instance and are incurring hourly fees.

Release the unused addresses

# Replace eipalloc-xxxx with the actual AllocationId
aws ec2 release-address --allocation-id eipalloc-xxxx

Run the release command for each idle AllocationId. If you have many, script the loop:

for id in $(aws ec2 describe-addresses --filters Name=instance-id,Values= --query 'Addresses[].AllocationId' --output text); do
  aws ec2 release-address --allocation-id $id
  echo "Released $id"
done

Spotting Idle NAT Gateways

NAT Gateways are often created for a VPC and then forgotten when workloads move to private subnets or when a VPC is decommissioned. Unlike EIPs, NAT Gateways have a separate hourly charge and a data‑processing charge, both of which appear even if no traffic flows.

List all NAT Gateways and their state

aws ec2 describe-nat-gateways \
    --query 'NatGateways[].[NatGatewayId,State,VpcId,SubnetId,CreateTime]' \
    --output table

A NAT Gateway in the available state that shows zero bytes processed over the last 24 hours is a strong candidate for removal.

Verify traffic with CloudWatch metrics

aws cloudwatch get-metric-statistics \
    --namespace AWS/NATGateway \
    --metric-name BytesOutToDestination \
    --dimensions Name=NatGatewayId,Value=nat-xxxxxx \
    --statistics Sum \
    --period 86400 \
    --start-time $(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ) \
    --end-time $(date -u -d '1 day ago' +%Y-%m-%dT%H:%M:%SZ) \
    --output text

If the sum is 0, the gateway has not forwarded any traffic in the last day.

Delete an idle NAT Gateway

aws ec2 delete-nat-gateway --nat-gateway-id nat-xxxxxx

After deletion, AWS automatically releases the associated Elastic IP, removing two cost sources with one command.

Automate the Detection Process

Manual checks are useful for a one‑off audit, but recurring checks prevent drift. - Scheduled Lambda: Deploy a Lambda function that runs the describe-addresses and describe-nat-gateways commands, evaluates attachment and traffic, and publishes findings to an SNS topic. - Tagging policy: Enforce a tag like CostOwner=team‑name on all EIPs and NAT Gateways. Use AWS Config rules to flag resources missing the tag or staying idle for more than 7 days. - Cost Explorer alerts: Set a daily cost alert for the ElasticIP:IdleAddress and NatGateway:Idle usage types. When the alert fires, the Lambda can automatically release the resource after a configurable grace period.

Clean‑up Checklist for Engineers and Founders

Run the EIP inventory script and release any AllocationIds without an InstanceId.
Run the NAT Gateway inventory and confirm zero traffic via CloudWatch.
Delete idle NAT Gateways using the CLI command; verify the associated EIP is also released.
Add tagging rules to prevent future orphan resources.
Schedule recurring audits (weekly for fast‑moving environments, monthly for stable workloads).
Document the process in your team’s runbook so new engineers inherit the practice.

What CloudBudgetMaster Adds

CloudBudgetMaster continuously scans your AWS accounts, flags unattached Elastic IPs and idle NAT Gateways, and shows the exact dollar impact per resource. With a single click you can remediate or set automated policies, keeping hidden charges out of your monthly bill.