There is no additional charge to use AWS Control Tower. You only pay for AWS services set up by AWS Control Tower, including services set up by default (such as AWS Service Catalog) and those used to implement your custom selections (such as AWS Config rules for enabled detective guardrails). You only pay for what you use, as you use it; there are no upfront commitments.

When you set up Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, and AWS Config. You will also incur costs for AWS services configured when you implement strongly recommended guardrails. While there's no additional charge for AWS Organizations service control policies (SCPs) or AWS CloudFormation, you will pay for AWS Config rules when you enable optional detective guardrails.

Pricing example 1

You set up AWS Control Tower. You do not plan to apply any strongly recommended guardrails.

When you first set up AWS Control Tower in your master account, the landing zone provisions an account factory, creates 2 shared accounts (log archive and audit), and applies mandatory guardrails (16 preventive and 2 detective guardrails). The preventive guardrails, implemented as Service control policies (SCPs), are enforced globally, while the detective guardrails, implemented as AWS Config rules, are enabled in the 4 AWS Regions that AWS Control Tower is available in.

You master account is billed $5.00 per month for the following:

  • $5.00 per month for a single account factory portfolio in AWS Service Catalog.
  • $0.00 per month for the mandatory preventive guardrails (as there is no charge for SCPs).  
  • $0.00 for AWS Config rules powering 2 mandatory detective guardrails that disallow public access to your log archive. Assuming you do not change the configuration of the Amazon S3 bucket in the log archive account to enable public read or write access, there will be 0 rule evaluations and you’ll be charged $0.00 (= 2 detective guardrails X 0 rule evaluations per guardrail X $0.001 per rule evaluation) per month.

You will incur a one-time charge (in the month that you set up AWS Control Tower) of $0.011 for AWS Config to initially record 3 configuration items and evaluate 2 rules. In addition, your master account is billed additional charges for resources such as AWS CloudTrail, Amazon CloudWatch, and Amazon S3, and for any additional configuration items and rule evaluations recorded by AWS Config depending on your activity in your shared accounts and the resource types being recorded. You can refer to the pricing pages for individual AWS services for details.  

Pricing example 2

After setting up your landing zone in pricing example #1, you now enable 2 strongly-recommended preventive guardrails. You also provision 10 new accounts for use by your teams, and you create 15 resources per account in each of the 4 regions that AWS Control Tower is available in.

Your master account is billed $5.00 per month for the following:

  • $5.00 per month, from pricing example #1.
  • $0 per month for 2 strongly-recommended mandatory preventive guardrails.

You will incur a one-time charge of $1.80 for AWS Config to record 600 configuration items (= 15 resources X 10 accounts X 4 regions) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item). In addition, your master account is also billed for additional charges for resources such as AWS CloudTrail, Amazon CloudWatch, and Amazon S3, and for any additional configuration items and rule evaluations recorded by AWS Config depending on your activity in all your accounts and the resource types being recorded.

Pricing example 3

After provisioning 10 accounts and creating 15 resources per account in each of the 4 AWS regions in pricing example #2, you now enable 5 strongly recommended detective guardrails across the 4 regions on all 10 accounts. Each resource undergoes 20 configuration state changes per month and each guardrail invokes 5,000 rule evaluations per month.

Your master account is billed $66.00 per month for the following:

  • $5.00 per month, from pricing example #2.
  • $36.00 per month for AWS Config to record 12,000 configuration items (= 15 resources X 10 accounts X 4 regions X 20 configuration state changes) at the rate of $0.003 per configuration item.
  • $25.00 per month for AWS Config to perform 25,000 rule evaluations (= 5 guardrails X 5,000 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will incur a one-time charge of $12.00 for AWS Config to record 3,000 configuration items and 3,000 rule evaluations (= 15 resources X 10 accounts X 4 Regions X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). In addition, your master account is billed for additional monthly charges for resources such as AWS CloudTrail, Amazon CloudWatch, and Amazon S3, and for any additional configuration items and rule evaluations recorded by AWS Config depending on your activity in all your accounts and the resource types being recorded. You can refer to the pricing pages for individual AWS services for details.  

Additional pricing resources

TCO Calculator

Calculate your total cost of ownership (TCO)

Simple Monthly Calculator

Easily calculate your monthly costs with AWS

Economics Resource Center

Additional resources for switching to AWS

Next-Steps-Icon_Product-page
Get an overview of AWS Control Tower
See overview 
Next-Steps-Icon_Tutorial
Discover AWS Control Tower features
Learn more 
Next-Steps-Icon_Blog
Read the blog post

Learn how AWS Control Tower enables enterprises to move even faster.

Read more