AWS Cloud Operations Blog
Automating Cost Optimization Governance with AWS Config
Overview
A key benefit of using the Amazon Web Services (AWS) cloud is the ability to pay only for the services you consume. This granular control and elastic model enables you to achieve substantial savings compared to on-premise infrastructure. The practice of ensuring you are getting the most value for your investment, and a foundational pillar of the Well-Architected Framework, is Cost Optimization.
Cost optimization has long been considered a retrospective exercise at the end of each month undertaken by the Finance team, but that narrative is no longer applicable. It is a shared responsibility that needs to be collectively owned by everyone on an ongoing basis. In order to achieve the most value, cost optimization should be implemented from both a strategic and tactical perspective. Strategic being the combination of best practice, the use of cloud native services, and a data driven approach. The tactical perspective relates to the specific proactive actions that can drive immediate savings. Combining these approaches, but more importantly, establishing and maintaining an optimum baseline standard in an automated manner will maximise your business value, and the price performant efficiency of your workloads in the AWS cloud.
AWS Config is a service that continually assesses, audits, and evaluates the configurations and relationships of your resources on AWS, on premises, and on other clouds. In this post, we show you how to enhance the value of the AWS Config service by deploying a solution across your organization that automatically evaluates resources against best practice logic for cost optimization utilizing a feature called Conformance Packs for AWS Config.
What are conformance packs and their benefits?
A conformance pack is a collection of AWS Config rules and remediation actions that provide a general-purpose compliance framework to help you codify and deploy strategic security, operational or cost-optimization governance checks in a single account and Region, or at scale across an entire AWS Organization. These rules will automatically monitor and evaluate your resources to identify their compliance posture against the logic defined in each rule. AWS Config provides AWS Config Managed Rules, a list of predefined customizable rules or AWS Config Custom Rules where you define your own custom logic using AWS Lambda functions or AWS CloudFormation Guard, a policy-as-code-language.
When a resource fails to comply with the logic defined in a rule, it is marked as Noncompliant. You have the option to manually or automatically invoke tactical remediation steps using AWS Systems Manager Automation, a service which provides an operations hub for your AWS applications and resources, with predefined runbooks to automatically remediate non-compliant resources or trigger event driven workflows such as alerting a team to take action.
Solution Overview
The Cost Optimization Conformance Pack solution empowers customers already utilizing AWS Config to maximize their service investment by integrating cost optimization governance for enhanced service value. The customizable solution includes a collection of three example custom rules containing best practice cost optimization logic. These will monitor and evaluate your resources to identify their cost optimization compliance posture and replicate the results back to an AWS Config aggregator in a single ‘delegated administrator‘ account for simplified management and reporting. The following rules are included:
Rule 1: Check for EBS gp2 volumes Remediation: Convert them to gp3 volumes.
Rule 2: Check for EBS volumes not attached to an EC2 instance.
Rule 3: Check for S3 buckets that do not have a lifecycle configuration policy.
If a resource does not meet any of the criteria defined in a rule then the resource, config rule and conformance pack will all be marked as Noncompliant. Rule 1 also contains a remediation action that can be invoked manually or automatically, triggering an SSM automation runbook to convert the EBS volume from gp2 to gp3. With gp3 volumes, you can provision IOPS and throughput independently, without increasing storage size, at costs up to 20% lower per GB compared to gp2 volumes.
Note: AWS Config is a chargeable service and you should refer to the pricing examples to understand the cost implications of enabling the service across your organization if you do not already use it.
The solution can be deployed across an AWS Organization with or without AWS Control Tower enabled. AWS Control Tower is an orchestration solution that simplifies the set up and governance of an AWS multi-account environment, following prescriptive best practices. Figure 1 refers to the deployment of the Cost Optimization Conformance Pack across an example OU structure provided by AWS Control Tower with member accounts.
Figure 1: Cost Optimization Conformance Pack architecture
Within the Security OU, we will utilize the audit account and register it as a delegated administrator for AWS Config and AWS CloudFormation. This will grant it permissions to deploy the Cost Optimization Conformance Pack and associated resources defined in the CloudFormation Stack across the accounts in your organization.
The CloudFormation Stack contains the Cost Optimization Conformance Pack custom rules along with an AWS Lambda function and an AWS Systems Manager document that are referenced by the rules. To enable the execution of the Lambda function and Systems Manager document, two custom AWS Identity and Access Management (IAM) roles are created using CloudFormation StackSets. These resources and roles are deployed to all accounts within the Organization from the centralised audit account to simplify the management of the solution.
AWS Config can check your resources for compliance against the conformance pack rules periodically or in response to configuration changes in your environment. The AWS Config Aggregator in the audit account will collate and centralize the data being captured in each of your member accounts by AWS Config, enabling further analysis on a per region basis.
Prerequisites
This post assumes you already have AWS Organizations and AWS Control Tower enabled which deploys the OU structure, audit account and AWS Config Aggregator. If you do not plan to use AWS Control Tower then refer to the guides on how to create an AWS Organization and creating aggregators for AWS Config before proceeding.
In addition, you will need:
- Permission to access both your organizations management account and the audit account you are delegating administrative rights to for deployment of the Cost Optimization Conformance Pack solution.
- Trusted access for StackSets with AWS Organizations enabled. Steps for checking this are provided in the Activate trusted access for stack sets with Organizations documentation.
- AWS Console access to AWS Config in the member accounts where the solution is being deployed.
Walkthrough
This post will walk you through completing the following steps:
- Establish a trust relationship between AWS Organizations and the service principals for AWS Config and AWS CloudFormation StackSets.
- Grant ‘delegated administrator’ permissions for the AWS Config and AWS CloudFormation services to the audit account.
- If Control Tower is not enabled, use the account where the AWS Config aggregator has been deployed for the procedure steps that refer to the ‘audit’ account.
- Deploy the Cost Optimization Conformance Pack.
- Using CloudFormation, you will deploy the conformance pack, Lambda function, IAM roles and Systems Manager document included in the solution.
- Testing the solution.
For the purposes of this walkthrough, our management account ID will be 111111111111 and the audit account from which we will deploy the solution will have an account ID of 222222222222.
Deploy the solution
Establish a trust relationship between AWS Organizations and the service principals for AWS CloudFormation
The trust relationship between AWS Organizations and AWS Config will already be partially established as per the prerequisite steps. To create the additional trust relationships for AWS Config rules and AWS CloudFormation, run the following CLI commands using AWS CloudShell in the organization management account:
To create and validate the trust relationships (console)
- Open the AWS Console.
- Login to your Organization management account as administrator.
- Type CloudShell in the console Search bar and select CloudShell.
- This will launch a CloudShell terminal window within the browser at the bottom of your screen.
- Run the following commands
aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
andaws organizations enable-aws-service-access --service-principal=member.org.stacksets.cloudformation.amazonaws.com
- Validate the trust relationships have been correctly established with the following command:
aws organizations list-aws-service-access-for-organization
- The output should contain the values shown in Figure 2:
Figure 2: AWS Organizations service principal trust relationships
Enable a ‘Delegated Administrator’ account for AWS Config
This step will enable the audit account as a delegated administrator for the AWS Config service and Config rules. Delegated administrators are accounts within a given AWS Organization that are granted additional administrative privileges, in this case for the AWS Config service to deploy and manage rules across accounts.
To setup a delegated administrator account for AWS Config (console)
- Repeat the steps to login to CloudShell.
- Run the
aws organizations register-delegated-administrator --account-id 222222222222 --service-principal config-multiaccountsetup.amazonaws.com
command replacing the account-id with the ID of the audit account. - Run the
aws organizations register-delegated-administrator --account-id 222222222222 --service-principal config.amazonaws.com
command replacing the account-id with the ID of the audit account. - To check the audit account has been successfully established as a delegated administrator for AWS config, run the following commands:
aws organizations list-delegated-administrators --service-principal=config.amazonaws.com
andaws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
- You should see output similar to Figure 3 for each command with the account ID of your delegated administrator account.
Figure 3: AWS Organizations delegated administrators
Enable a ‘Delegated Administrator’ account for AWS CloudFormation
To grant delegated administrator permissions to the audit account for AWS CloudFormation, we need to use AWS CloudFormation StackSets and AWS Organizations. This feature creates the required IAM roles in each member account to support the deployment of the CloudFormation StackSet containing the Cost Optimization Conformance Pack resources across the organization.
To setup a delegated administrator account for AWS CloudFormation (console)
- Repeat the steps to login to CloudShell.
- Run the
aws organizations register-delegated-administrator --service-principal=member.org.stacksets.cloudformation.amazonaws.com --account-id=222222222222
command replacing the account-id with the ID of the audit account. - To check the audit account has been successfully established as a delegated administrator for AWS config, run the following command:
aws organizations list-delegated-administrators --service-principal=member.org.stacksets.cloudformation.amazonaws.com
- You should see output similar to Figure 3 with the account ID of your delegated administrator account.
Deploy the Cost Optimization Conformance Pack
In this step, you will download and deploy the conformance pack in the audit account using this CloudFormation YAML template from the AWS Samples Cost Optimization Conformance Pack GitHub repository. CloudFormation StackSets simplify the process for deployment and management of AWS resources.
For this solution the following will be deployed:
- AWS Config Organization Conformance Pack – a collection of AWS Config custom rules that will be used to evaluate resources against best practice cost optimization logic.
- This Organization Conformance Pack will deploy individual Cost Optimization Conformance Packs into each member account.
- AWS CloudFormation StackSet – a collection of CloudFormation stacks deployed into all the member accounts in the AWS Organization. These stacks will deploy the following:
- AWS Lambda Function – The AWS Config custom rules invoke a Lambda function that contains the logic to evaluate whether the specified resource is either Compliant or Noncompliant with cost optimization best practice rules defined above.
- IAM Roles – Two custom IAM roles will be deployed. One that will enable the Lambda function to be invoked and the second which will be used by AWS Systems Manager (SSM) to carry out remediation actions as defined in the SSM document.
- AWS Systems Manager Automation Document – This will be deployed into the audit account only and used by the member accounts.
To download and deploy the Cost Optimization Conformance Pack (console)
- Repeat the steps to login to CloudShell.
- Upload the YAML file to the CloudShell session by clicking the Upload file icon and selecting the YAML file you downloaded.
- Run the
aws cloudformation deploy --template-file template.yaml --stack-name CostOptimizationConfPack --parameter-overrides DeployingInDelegatedAdminAccount=True --capabilities CAPABILITY_IAM
command. - To verify the CloudFormation StackSet has been deployed successfully type CloudFormation in the console Search bar and select CloudFormation.
- Select Stacks on the left menu. The output should show the Stack that has been deployed with a CREATE_COMPLETE status as shown in Figure 4.
- To verify the conformance pack has been deployed successfully type AWS Config in the console Search bar and select AWS Config.
- Select Conformance packs on the left menu. Your dashboard should look similar to the one in Figure 5.
Figure 4: CloudFormation Stack deployment status
The AWS Config Conformance packs dashboard shows that it has successfully deployed and is reporting a Compliance score. This score indicates a percentage compliance level for the resources that have been evaluated against the rules in the conformance pack. This dashboard will typically report INSUFFICIENT DATA until the rules have been evaluated for the first time.
Figure 5: Conformance pack deployment status
Testing the solution
Check the Cost Optimization Conformance Pack status
Now that the conformance pack and associated resources have been deployed across your accounts, you can see the status of the conformance pack rules using the AWS Config Conformance packs dashboard. You may already have resources that are being evaluated against the rules that are showing as either Complaint or Noncompliant as Figure 6 demonstrates. If there are no resources showing, follow the step below to create a test Noncompliant Amazon EBS volume.
Figure 6: Cost Optimization Conformance Pack status
To test the conformance pack with a Noncompliant resource (console)
- Open the AWS Console.
- Login to a member account within your organization as administrator.
- Create an Amazon EBS volume using this procedure, ensuring you select the Volume Type as gp2.
- Once the EBS volume has been created navigate to the AWS Config dashboard.
- Select Conformance packs.
- Select the conformance pack with CostOptimization in the name.
- A list of Rules will appear as shown in Figure 6.
- Select the rule with CostOpt-Ebs in the name to view the rule dashboard.
- Select the Actions menu.
- Select Re-evaluate to trigger the rule to assess the resources in the account.
After the evaluation has completed the Noncompliant EBS volume will display as shown in Figure 7. Clicking the volume ID will provide more information about the resource.
Figure 7: Config rule status
Testing Remediation
If a rule has a remediation action configured, it is possible to invoke this from the AWS Console view as shown in Figure 7. In the case of the EBS gp2 rule, this will invoke the Systems Manager automation runbook in the audit account to convert the volume type to gp3.
To invoke the remediation rule (console)
- From the AWS Config rule dashboard in Figure 7 scroll down to Resources in scope.
- Select the radio button for the EC2 Volume that is listed as Noncompliant.
- Select the Remediate button.
Once the remediation rule has been triggered Action executed successfully should then appear under the Status column. You can also validate the change in volume type has completed successfully by looking at the volumes listed in the Elastic Block Store under the EC2 service. Figure 8 shows the volume Type is now gp3.
Figure 8: EBS volumes status
Finally, AWS Config will update the status of the rule to show that the EBS volume which has been converted to gp3 is now showing as Compliant.
Note: The update of this status is not real-time.
Figure 9: Config rule status with compliant resource
Clean Up
All the resources deployed for the Cost Optimization Conformance Pack solution can be removed by deleting the CloudFormation stack either through the AWS Console, or using the CLI command below:
To delete the Cost Optimization Conformance Pack solution (CLI)
- Repeat the steps to login to CloudShell.
- Run the
aws cloudformation delete-stack --stack-name CostOptimizationConfPack
command.
You can also deregister the audit account as a delegated administrator for AWS Config and CloudFormation from Organizations by replacing the account-id with the ID for the audit account and running the CLI commands below.
- Run the
aws organizations deregister-delegated-administrator --account-id 123412341234 --service-principal config-multiaccountsetup.amazonaws.com
andaws organizations deregister-delegated-administrator --account-id 123412341234 --service-principal config.amazonaws.com
commands.
Conclusion
The AWS Config Cost Optimization Conformance Pack is a powerful yet simple way to define, automate and govern cost optimization standards across your organization. The solution incorporates some best practice cost optimization rules to help establish and monitor a consistent compliance posture with the ability to invoke remediation steps for non-compliant resources.
The Cost Optimization Conformance Pack is an open source solution available from the AWS Samples GitHub repository. We encourage you to incorporate your own cost optimization rules and remediation’s into the conformance pack using the README guide available in the repository. You can find out more about AWS Config custom Lambda rules and AWS Systems Manager documents to expand the functionality of the solution further.
See the Customize AWS Config resource tracking in AWS Control Tower environment post for further reading around fine tuning AWS Config.
Matt King is a Senior Solutions Architect at Amazon Web Services, based in London. He supports customers across industries with specialized focus on the Semiconductor sector, leveraging over 20 years of senior IT leadership experience. Matt is dedicated to driving customer success through innovative, sustainable cloud solutions on AWS.
Dan Johns is a Senior Solutions Architect Engineer, supporting his customers to build on AWS and deliver on business requirements. Away from professional life, he loves reading, spending time with his family and automating tasks within their home.