AWS Config Cost: Is Cloud Infrastructure Change Monitoring Expensive?

In This Article

• What is AWS Config?
• AWS Config Pricing
• Configuration Items Recorded
• AWS Config Rules Evaluations
• Conformance Packs
• When AWS Config Costs Can Become Expensive
• High Frequency of Changes
• Multiple Rule Evaluations
• Initial Setup Costs
• Strategies for Optimizing AWS Config Costs
• Apply Resource Filters
• Limit the Scope
• Consider Periodic Recording
• Optimize Rule Usage
• Infrastructure Change Monitoring with Cloudviz.io
• Summary

What is AWS Config?

AWS Config helps keep an up-to-date inventory of AWS resources and continuously checks them against your security rules - something every organization needs, no matter its size.

It does two key things:

• Records changes to AWS resources(configuration items) whenever their settings or relationships change.
• Evaluates compliance by checking these changes against AWS Config rules. You can use built-in AWS rules or create custom ones with policies or Lambda functions.

AWS Config Pricing

AWS Config uses a pay-as-you-go model where you’re charged based on the number of configuration items recorded, rule evaluations performed, and conformance pack evaluations. This section explains the key pricing components and how they affect your monthly bill.

Configuration Items Recorded

Every time AWS Config records the state of a supported resource, it creates a configuration item. Pricing is based on the number of these items recorded:

• Per Configuration Item. Each recorded configuration item is charged at a set rate: $0.003 per continuous recording, $0.012 per periodic recording.

AWS Config Rules Evaluations

AWS Config monitors your resource configurations using defined rules, and every evaluation incurs a charge:

• Rule Evaluations. Regardless of whether the rule is managed or custom, each evaluation is charged at $0.001 per evaluation.

Example:
If any rule is evaluated 100,000 times in a month, your cost will be 100,000×$0.001=$100

Conformance Packs

Conformance packs allow you to bundle multiple rules into a single package for streamlined compliance management. The pricing for conformance packs is based on the underlying evaluations:

• Conformance Packs. Each conformance pack is charged at $0.001 per evaluation.

When AWS Config Costs Can Become Expensive

I've seen AWS invoices where AWS Config costs actually exceeded compute or storage expenses. If not configured carefully, AWS Config can get expensive quickly.

Let’s take a look on some real-life scenarios with examples and calculations for both a 500,000-resource environment and a 5,000-resource environment.

High Frequency of Changes

Every time a resource changes, AWS Config creates a new configuration item at about $0.003 per item. Consider these real-life examples:

• Auto Scaling in Production. Imagine a busy e-commerce site where auto scaling groups frequently launch or terminate EC2 instances (this includes ENI, EC2 instance, EBS volume resources etc.) or database scaling from 100GB to 400GB during peak shopping hours
  • For 500,000 resources: If each resource changes twice a day, that’s 1,000,000 configuration items daily.
    • Daily cost: 1,000,000 × $0.003 = $3,000 per day.
  • For 5,000 resources: With the same frequency, you get 10,000 items daily.
    • Daily cost: 10,000 × $0.003 = $30 per day.
• Rapid CI/CD Deployments. In a DEV/QA environment, continuous integration/deployment pipelines might repeatedly update or recreate microservices (like serverless applications) and supporting resources. Frequent deployments can trigger a lot of configuration changes, driving up costs similarly.
• Environments Using Containers. In services like Amazon ECS or Amazon EKS, updates such as new container versions, scaling events, or rolling deployments can frequently change settings like tasks, services, and clusters. These changes help keep your applications running smoothly but also result in many configuration updates being recorded.
• Security Policy Enforcement. Automated remediation tools and security controls (for example, AWS Config rules) may adjust configurations when they detect drift or non-compliance.
  • For instance, if a security group is inadvertently left too permissive, an automated process might promptly correct it, thus creating frequent changes in the resource configuration.
  • DevOps teams implementing IP allow-list rotations for SSH/RDP access cause frequent security group modifications. Each CIDR block change creates a new security group configuration item.

Multiple Rule Evaluations

AWS Config rules are used to check if resources comply with set standards. Each rule evaluation cost around $0.001. Real-life triggers include:

• Security Compliance Monitoring. In a highly regulated industry, multiple rules might check for security best practices across every change. For instance, a rule ensuring encryption is enabled on every new resource could trigger on every update.
  • For 500,000 resources: If frequent changes trigger 1,000,000 evaluations daily, the evaluation costs add up quickly.
    • Daily cost: 1,000,000 × $0.001 = $1,000 per day.
  • For 5,000 resources: Costs scale down proportionally with fewer evaluations.
    • Daily evaluation cost: 10,000 × $0.001 = $10 per day.
• Resource Tagging Compliance. Many organizations enforce strict tagging policies for cost allocation and resource management. Suppose you have a rule that checks whether every new EC2 instance or S3 bucket has the correct tags.
  • For 500,000 resources: In a highly dynamic environment, if each resource update triggers evaluations by the tagging rule, you might see up to 1,000,000 evaluations in a day.
    • Daily evaluation cost: 1,000,000 × $0.001 = $1,000 per day.
  • For 5,000 resources: In a smaller environment with the same frequency of changes, the daily evaluations might total 10,000.
    • Daily evaluation cost: 10,000 × $0.001 = $10 per day.

Initial Setup Costs

When you first enable AWS Config, the service takes a snapshot of all your resources.

• Large-scale Rollout Example. For a new enterprise account with 500,000 resources, the one-time snapshot cost is:
  • 500,000 × $0.003 = $1,500.
• Smaller Environment Example. For a smaller environment with 5,000 resources, the cost is:
  • 5,000 × $0.003 = $15.

This initial charge reflects the significant work AWS Config does to capture the entire state of your infrastructure, which can be especially expensive if you’re onboarding a large and dynamic environment.

Strategies for Optimizing AWS Config Costs

Here are few strategies that I have used in my consulting work to manage costs, along with calculations to show the impact. By applying these measures, you can significantly reduce costs while still benefiting from AWS Config’s monitoring capabilities.

Apply Resource Filters

Limit tracking to critical resources using filters (like specific resource types or tags).

In a 500,000-resource environment, if you filter out 90% of resources, you only track 50,000 resources. The initial snapshot cost then becomes: 50,000 × $0.003 = $150 instead of $1,500.

Similarly, daily recording costs drop proportionally with the number of resources tracked.

Limit the Scope

Enable AWS Config only in necessary AWS accounts and regions. I have seen several DEV / QA accounts (where resources change more frequently than PROD accounts) with AWS Config unnecessarily enabled, that resulted in thousands of dollars in additional AWS bills.

Consider Periodic Recording

If real-time monitoring isn’t essential, opt for periodic recording (e.g., once every 24 hours).

• In the 500,000-resource environment, instead of recording multiple changes per day (which might cost $3,000 daily), you’d record once per day, costing around $1,500 for that day.
• For the 5,000-resource environment, costs drop from $30 per day (continuous) to about $15 per day with periodic recording.

Optimize Rule Usage

It can be tempting to enable as many rules as possible, thinking it will make your infrastructure more secure. However, that’s not always the case—less is often more. Start with the rules that directly align with your application and compliance needs, and incrementally add new ones over time.

Fewer rules mean fewer evaluations, which helps keep the cost down.

For example, if you reduce the number of evaluations in a high-change environment from 1,000,000 to 200,000 per day by only monitoring critical configurations, you could potentially cut the rule evaluation cost by 80%.

Infrastructure Change Monitoring with Cloudviz.io

For many small and medium businesses (SMBs), spending $1,000 a month or $12,000 a year on AWS Config alone is simply too high. These companies may not require strict compliance enforcement, but they still need clear visibility into their infrastructure changes. For some SMBs, the total AWS bill might only be around $1,000 to $2,000 per month. In such cases, if AWS Config costs make up more than half of your overall AWS spend, it’s a clear sign that you need a more cost-effective solution.

Fortunately, there are alternatives like Cloudviz.io, which offers infrastructure change monitoring for a fixed rate of only $49 per month. You can check our pricing details at Cloudviz.io Pricing.

Automated monitoring combined with diagram history gives your team superpowers:

• Be notified when something changes in your infrastructure, so your team can always double-check if these changes are intended and as expected or not.
• Know exactly what’s changed in the form of a visual diagram or JSON diff.
• Complete history of your infrastructure changes. Access your infrastructure change history whenever you need it—whether debugging failed deployments, troubleshooting issues, or conducting security audits.

Summary

AWS Config is a powerful tool for tracking infrastructure changes and ensuring compliance. However, based on my experience, I know that its pricing can quickly add up - especially in dynamic environments or for organizations with smaller budgets. I’ve mentioned several cost optimization options, such as filtering critical resources, limiting the scope of monitoring, and opting for periodic recordings instead of continuous monitoring. And if your AWS spend is low or strict compliance isn’t a top priority, I recommend considering an alternative like Cloudviz.io, which offers cost-effective infrastructure change monitoring.