In this article we will talk about the possible reasons for high AWS Config cost and what best practices and actions can be taken to reduce the cost usage.
First let us see various factors which can lead to high AWS Config cost.
- Rule Evaluation Frequency: Multiple AWS Config rules set to evaluate resources every hour or even more frequently across all regions.
- Conformance Packs: Utilisation of extensive and complex conformance packs across multiple accounts and regions.
- Large-Scale Resource Changes: Frequent resource updates, deployments, scaling activities, or modifications in configurations for a wide array of resources.
- Recording Configuration Items: Continuous changes in resources trigger the creation of numerous configuration items recorded by AWS Config.
AWS config pricing
Pricing Example
Suppose you have following usage
- 100,000 configuration items recorded across various resource types.
- 500,000 AWS Config rule evaluations in detective mode across all individual AWS Config rules in the account.
- 10 conformance packs, each containing 10 AWS Config rules with 300 rule evaluations per AWS Config rule.
Cost of Configuration Items: 100,000 * $0.003 = $300
Cost of AWS Config Rules: First 100,000 evaluations at $0.001 each = $100, followed by 400,000 additional evaluations at $0.00075 each = $300
Cost of Conformance Packs: 10*10*300 = 30,000 conformance pack evaluations total. 30000*0.001 = $30
Total AWS Config bill:
$300 (configuration items) + $100 + $300 (AWS Config rules) + $30 (conformance packs) = $730
Apart from the above cost, you will receive configuration snapshots and history files in your selected Amazon Simple Storage Service (S3) bucket, while configuration change notifications are sent via Amazon Simple Notification Service (SNS). Regular rates for Amazon S3 and Amazon SNS are applicable.
How to optimise AWS config cost
Selective resource recording
Take into account selecting specific resources as per your security & compliance requirements for tracking instead of recording all AWS resources indiscriminately. By default, Config examines all supported resources based on a rule, yet you have the option to exclude resources you prefer not to record by modifying resource types. Use resource filters to selectively include or exclude specific resource types, tags, or individual resources from being recorded.
Evaluation mode (Trigger type)
AWS Config rules respond to different trigger types. Supported trigger types include Period Changes and Configuration Changes. You can select both trigger types or only one.
- Period Changes: Rules set with this trigger type are evaluated based on specified frequencies. Opting for higher values (e.g., 24 Hours – maximum) decreases the frequency of rule evaluations, potentially reducing costs incurred from these assessments.
- Configuration Changes: It is crucial to grasp when a rule triggers under this setting and how configuration items (CIs) are generated. AWS config records changes not just for the supported resources but also for resources associated with them. Consequently, increased alterations to supported or related resources result in the generation of more CIs, leading to higher costs.
Check if there is an application issue
In some cases, unexpected changes in resource configurations recorded by AWS Config might be the result of application behaviour. The higher the number of configuration items recorded the more it will cost.
For example: An ECS container task might be failing because of an internal bug of the application which makes the container restart every other minute. Restarting the container will result in recording of configuration items. Furthermore, all the associated resources required to run the container will be recorded too. Thus, resulting in an unexpected increase in configuration items recording.
Retention period
By default, the data retention period spans seven years, but it is adjustable to align with your compliance requirements. Additionally, establish lifecycle policies for the Amazon Simple Storage Service (Amazon S3) bucket used as the delivery method for AWS Config.
Duplicate conformance packs
Prevent rule duplication by tailoring AWS Conformance packs to your needs. Duplications might occur within Conformance Pack Sample Templates, especially if using an AWS Security Hub security standard.
For example: The PCI DSS Standard might include a rule, verifying AWS CloudTrail activation, present across various sample conformance pack templates. If Security Hub already assesses this control, consider removing it from the conformance pack to avoid redundancy.
Consider removing config recording from non-prod environment
Assess the necessity of capturing configurations in non-production environments, where compliance and audit demands might be lesser. To cut costs, contemplate disabling or restricting configuration recording in these environments. Employ AWS Config rules and configurations discriminately, aligning them with the criticality of resources within these environments.
Conclusion
AWS Config provides cost-effective solutions, although certain situations might vary. It is essential to optimise your AWS Config configurations to handle costs while meeting audit and evaluation needs. The right configuration selection for your resources significantly influences cost optimisation. Trust this article has provided valuable insights into cost optimisation strategies for AWS Config.