After your AWS Free Tier expires, you naturally want to clean up any resources that might incur charges. While Key Pairs and Security Groups appear in your AWS console, they don't directly impact your billing:
// Sample AWS CLI command to list all security groups
aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' --output text
// Sample AWS CLI command to list all key pairs
aws ec2 describe-key-pairs --query 'KeyPairs[*].KeyName' --output text
Key Pairs and Security Groups are metadata resources rather than provisioned infrastructure:
- Key Pairs: Simply store public keys (free)
- Security Groups: Act as virtual firewalls (free unless associated with running instances)
While the resources themselves are free, they can indirectly impact costs:
# Example of a security group that could lead to unexpected traffic costs
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0 # This overly permissive rule could be exploited
Even though these resources are free, proper cleanup is recommended:
# Delete unused key pair
aws ec2 delete-key-pair --key-name MyKeyPair
# Delete security group (only if not associated with any instances)
aws ec2 delete-security-group --group-id sg-12345678
Always verify actual charges through AWS Cost Explorer:
# Set up AWS Budgets alert (free service)
aws budgets create-budget \
--account-id 123456789012 \
--budget file://budget.json \
--notifications-with-subscribers file://notifications.json
Example budget.json:
{
"BudgetName": "monthly-budget",
"BudgetLimit": {
"Amount": "10",
"Unit": "USD"
},
"TimePeriod": {
"Start": "2023-01-01",
"End": "2087-06-15"
},
"BudgetType": "COST",
"TimeUnit": "MONTHLY"
}
After my AWS Free Tier period ended, I carefully cleaned up all EC2 instances and S3 buckets to avoid unexpected charges. However, I noticed that my account still contained several Key Pairs and Security Groups. The immediate concern was: Do these leftover resources incur any costs?
Surprisingly, AWS documentation doesn't explicitly address this specific scenario. The pricing pages focus primarily on active resources like running instances, storage usage, and data transfer. This leaves many developers wondering about the cost implications of these "configuration artifacts."
Key Pairs are simply SSH credential references stored in AWS IAM. They:
- Don't consume compute resources
- Have no storage footprint
- Generate no network traffic
Here's how to list them using AWS CLI:
aws ec2 describe-key-pairs --query 'KeyPairs[*].KeyName' --output textWhile Security Groups themselves are free, certain related actions can trigger costs:
- Each Security Group allows up to 60 rules at no charge
- Excessive rules might require multiple Security Groups
- Active Network ACLs using these groups may incur data processing charges
Example of checking Security Group associations:
aws ec2 describe-security-groups \
--query 'SecurityGroups[*].[GroupName,GroupId]' \
--output tableEven though these resources are generally free, I recommend:
- Periodically clean up unused Key Pairs
- Consolidate Security Groups where possible
- Use AWS Cost Explorer to monitor any unexpected charges
Sample cleanup script for unused Key Pairs:
#!/bin/bash
# Find and delete all Key Pairs not associated with running instances
used_keys=$(aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].KeyName' \
--output text | sort -u)
all_keys=$(aws ec2 describe-key-pairs \
--query 'KeyPairs[*].KeyName' \
--output text)
for key in $all_keys; do
if [[ ! " ${used_keys[@]} " =~ " ${key} " ]]; then
aws ec2 delete-key-pair --key-name "$key"
echo "Deleted unused key pair: $key"
fi
doneTo be absolutely certain these resources aren't costing you money:
- Navigate to AWS Billing Dashboard
- Check "Cost Explorer"
- Filter by "EC2" service
- Look for any non-zero charges
Remember that AWS charges appear with a slight delay, so monitor your account for a few days after cleanup.