USE CASE

Find EOL SDKs and IAM violations in production, not in code review

Build-time scanners check what's in your repo. reCost checks what's actually running in production , the IAM roles accessing data, the SDK versions making requests, the services that should never be there.

THE PROBLEM

Production is different from your repo

Snyk, Dependabot, and SCA tools scan your code. They don't see what's running. Old Lambda functions, forgotten services, EOL runtimes , they're in production, making real requests.

  • EOL SDKs running in production Lambda functions never flagged
  • IAM roles with access they shouldn't have , not in any policy audit
  • Browser access to production data buckets going undetected
  • PII-looking object keys visible to unexpected roles
  • First-time role access events not generating any alert
WHAT RECOST DOES

Production runtime security from S3 access logs

Every S3 request carries the SDK version, IAM role, and user agent that made it. reCost cross-references these against EOL runtimes and CVE databases in real time.

  • Detect aws-sdk-java/1.x, aws-sdk-go/1.x, nodejs10/12/14, Hadoop 3.3.x in production
  • Match detected runtime versions against known CVEs
  • Alert on IAM roles crossing bucket boundaries
  • Flag first-time role access to any bucket
  • Identify null user agents and raw HTTP clients in production

"nodejs10.x Lambda , EOL since 2021 , still making requests to production S3. Three years past end of support, actively hitting a sensitive bucket."

Never flagged by their SCA tool. Visible in reCost on day one.

See exactly what's happening in your S3 data layer

Works with your existing AWS setup. Read-only access. No agents. No data exposure.

Book a Demo