The VPC Cleanup Discipline

VPCs accumulate. Each costs nothing alone; the cumulative effect is a tangle.

VPC inventory

List every VPC across accounts. Tag with owner, purpose, age, last-modified.

Untagged VPCs are immediately suspect. Either claim ownership or schedule for deletion.

Quarterly inventory refresh. Drift surfaces; new VPCs caught before they become orphans.

Retirement criteria

VPC with no recent activity (no instances, no resources) for 30+ days: candidate for deletion.

VPC owned by a retired service or team: candidate. Owner confirms or releases.

VPC with security violations (open security groups, public exposures): immediate action; retire or fix.

Retirement process

Notice to owner: 30-day deletion warning. Time to claim or migrate.

Drain phase: route inbound traffic away; identify any unexpected dependencies.

Tear-down: terraform destroy or equivalent. Audit log records destruction.

Preventing accumulation

Each new VPC has an owner at creation. IaC enforces ownership tags.

Per-quarter ownership review. Owner confirms continued need.

Naming convention helps. Old or unmaintained VPCs surface by name pattern.