AWS Config is an excellent service, but can be expensive. I was doing some work with the service in a personal account and wasn’t watching the billing and ended up with a bill that was several hundred dollars. If you’re working with Config be aware of the billing and make sure you have the appropriate CloudWatch billing alarms set …. just sayin’. 😉
Andy, how could you end up with several hundreds of USD for AWS config itself??
It’s charged on per rule basis ($2/month/rule) + $0.003 per configuration item recorder.
So to have i.e. $200 bill, you would need to have i.e. 10 rules ($20) + 60000 config items recorder (changes)… in a month.
I’m not saying it’s not possible, I’m just saying it’s quite a lot for a private account 🙂
I agree with Mariusz — this is confusing. Is the AWS Config pricing page wrong / misleading? The way it reads is that it should not charge you every time you activate a rule, but should charge you $2 per active rule per month, not $2 per evaluation. See this:
With Config Rules, you are charged based on the number of active rules in your account. Each time an AWS resource is compared with a rule, the result is recorded as an evaluation result. You can choose to evaluate rules when AWS resources change or at periodic intervals like hourly or daily. A rule is active if it has one or more evaluations in a month.
Config Rules costs: $2 per active rule per month
Are you sure you didn’t have something wrong in Lambda that caused it to create many unique rules instead of re-evaluating existing rules? I’m not saying I don’t believe what you are saying — I just want to understand it better. Can you post your account’s billing from Config?
For example, here’s current Config billing for my company account:
AWS Config ActiveConfigRules $18.00
$2.00 per Active Config Rule in US East (N.Virginia) region
9 ActiveConfigRules $18.00
AWS Config ConfigurationItemRecorded $1.06
$0.003 per Configuration Item recorded in US East (N.Virginia) region
Hi Andy, looking at the FAQ -> https://aws.amazon.com/config/faq/
"If you are using AWS Config Rules, you will be charged based on active Config Rules in that month. When a rule is compared with an AWS resource, the result is recorded as an evaluation. An rule is active if it has one or more evaluations in a month."
I assume that when you create config rule, you have an asset to check against it, so this would trigger evaluation and record CI. So yes, now your example makes more sense to me. Probably it’s better to test lambdas outside of config rule service 😉
Thanks, that’s helpful for sure
Hi, I see a charge to 9 config rules.. are there any disadvantages to me deleting these 9 rules? Are they absolutely needed during learning process.. (monthly bill of $18 for 9 rules :-))
PLEASE READ IF YOU PLAN TO WORK IN AN ENTERPRISE ENVIRONMENT
TLDR; use Athena to query the Config data objects being stored in S3 to get true cost insights. This AWS blog post is a great starting point: https://aws.amazon.com/premiumsupport/knowledge-center/retrieve-aws-config-items-per-month/
This is a super important area to know if you’re working in an environment that deploys code multiple times per day/hour. I can’t stress enough how important it is to know this. Don’t just think about this topic in terms of passing AWS certification exams, think of it in terms of keeping the job you land. If you enable AWS Config on your first day without understanding the cost implications, your last day might be the end of the month when your organization gets the next bill.
One of the most important element of the AWS Config pricing model is the fact that configuration items are recorded/created whenever a resource undergoes a configuration change or a relationship change. This means every time you make a change to a resource you’re going to pay at least $0.003 (as of today’s pricing). For example, if you create a security group and attach it to multiple EC2 instances, you’re not just paying for the cost of creating the security group ($0.003) but also the cost of attaching it to the instances themselves (at $0.003 per attachment). The act of attaching the security group to the instance counts as a relationship change. Relationship changes are an often misunderstood AWS Config ‘sneaky’ cost that continues to accumulate behind the scenes because users are unaware that they’re being billed for every single change they make, even without creating new resources. See the AWS Config documentation for a list of supported resources their relationships: https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
An application hosted in AWS doesn’t have to be large to rack up Config costs quickly; especially if you are working with autoscaling, automation, orchestration and/or CI/CD build processes in your AWS account. In these environments, the change relationships between VPC, subnet, security group, and autoscaling resources can easily accumulate thousands of Config changes for a single resource. We’re talking thousands of dollars a month in AWS Config costs alone. These costs can get large enough to make some smaller companies close their doors, and make larger companies seriously consider whether or not they want you managing resources in their cloud accounts.
I’ve had the AWS "free tier" for a while, but in the last week I’ve actually started developing a back end for an app (using just DynamoDB and API Gateway with Lambda functions) and storing it in CodeCommit;
I haven’t explicitly done anything with the "Config" service.
Yet my config costs jumped from 0 to about $10 a day during the last week when I’ve been coding the back end. There are no users of the app beyond myself. Since I haven’t used the Config service, what about my activities have caused this jump?
Does calling API Gateway somehow introduce "config" costs? Do Git CodeCommit’s cause "config" costs?
If it costs $10 a day for this app to run when there are no users beyond myself, this will never scale. Something doesn’t make sense here.