There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC), based on your usage of these services. You only pay for what you use, as you use it.

For example, if you edit the AWS Control Tower account factory configuration to enable public subnets when provisioning a new account, then account factory will configure Amazon VPC to create a NAT Gateway, and you will be billed for your usage by Amazon VPC. The following examples show how AWS Control Tower can influence the cost you incur by enabling other services.

If you are running ephemeral workloads from accounts in AWS Control Tower, you may see an increase in costs from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources, which are loaded and run when needed. Examples include EC2 spot instances, Amazon EMR jobs, and AWS Auto Scaling.

Please see Config pricing for details. Contact your AWS account representative for more specific information about managing these costs.

Pricing example 1: Setting up AWS Control Tower

You set up AWS Control Tower with your home Region in the US East (N. Virginia) AWS Region. You do not apply any strongly recommended or elective guardrails, or create new accounts using account factory.

When you first set up AWS Control Tower in your management account, it provisions an account factory, creates 2 shared accounts (log archive and audit), and applies mandatory preventive and detective guardrails. The preventive guardrails, implemented as service control policies (SCPs), are enforced globally, while the detective guardrails, implemented as AWS Config rules, are enabled in all AWS Regions that AWS Control Tower is currently available in.

Your management account is billed the following for activities related to AWS Control Tower:

  • A one-time charge of $0.033, that includes $0.009 for AWS Config to initially record 3 configuration items, at the rate of $0.003 per configuration item, and $0.002 for AWS Config to evaluate 2 rules, at the rate of $0.001 per evaluation (for the first 100,000 evaluations), with both charges related to the Amazon S3 bucket in the log-archive account, and $0.022 for AWS CloudTrail to record 1,100 events during the landing zone creation, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (8 API calls recorded to create a new portfolio, create the account factory product, and associate permissions), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. For example, you are charged $0.023 per GB for Amazon S3 to store your log-archive bucket.

You can refer to the pricing pages for individual AWS services for details. 

Pricing example 2: Customer with a smaller usage profile on AWS

After setting up your landing zone in pricing example #1, you provision 10 new accounts for use by your teams, and you create 5 resources in each new account. In accordance with your business policies, you decide to host resources and run operations in a single AWS Region, for example, US East (N. Virginia), and you do not operate in any other AWS Region. You also enable 2 strongly-recommended preventive guardrails on your new accounts.

Your management account is billed for the following activities related to AWS Control Tower:

  • A one-time charge of $0.31, that includes $0.15 for AWS Config to record 50 configuration items (= 10 accounts X 5 resources X 1 Region) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item), and $0.16 for AWS CloudTrail to record 8,000 events when AWS Control Tower enables 2 preventive guardrails and account factory provisions 10 new accounts, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (100 API calls recorded when account factory provisions 10 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly-recommended detective guardrails in all 10 accounts and across all Regions where Control Tower is currently available. In addition, each of your resources undergoes 10 configuration state changes per month, and each strongly-recommended detective guardrail invokes a total of 250 rule evaluations per month across all your accounts. You continue to host resources and run operations in the US East (N. Virginia) Region.

Your management account is billed $3.75 per month for the following activities related to AWS Control Tower:

  • $1.50 per month for AWS Config to record 500 configuration items (= 10 accounts X 5 resources X 1 Region X 10 configuration state changes per resource per Region per account), at the rate of $0.003 per configuration item. 
  • $1.25 per month for AWS Config to perform 1,250 rule evaluations (= 5 guardrails X 1 Region X 250 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $1.00 for AWS Config to record 250 configuration items and 250 rule evaluations (= 10 accounts X 5 resources X 1 Region X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). 

In addition, your management account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

You can refer to the pricing pages for individual AWS services for details.

Pricing example 3: Customer with a larger usage profile on AWS

After setting up your landing zone in pricing example #1, you provision 25 new accounts for use by your teams, and, in each new account, you create 15 resources in each Region that you operate in. In accordance with your business policies, you decide to host resources and run operations in 3 AWS Regions — for example, your home Region of US East (N. Virginia), and 2 other Regions, US East (Ohio) and Europe (Ireland), and you do not operate in any other AWS Region. You also enable 2 strongly-recommended preventive guardrails on your new accounts.

Your management account is billed the following for activities related to AWS Control Tower:

  • A one-time charge of $3.775, that includes $3.375 for AWS Config to record 1,125 configuration items (= 25 accounts X 15 resources X 3 Regions) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item), and $0.40 for AWS CloudTrail to record 20,000 events when AWS Control Tower enables 2 preventive guardrails and account factory provisions 25 new accounts, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (250 API calls recorded when account factory provisions 25 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly-recommended detective guardrails in all 25 accounts and across all Regions where Control Tower is available. In addition, each of your resources undergoes 15 configuration state changes per month, and each strongly-recommended detective guardrail invokes a total of 2,000 rule evaluations per month across all your accounts and in all Regions that you operate in. You continue to host resources and run operations in the US East (N. Virginia), US East (Ohio) and Europe (Ireland) Regions.

Your management account is billed $60.625 per month for activities related to AWS Control Tower:

  • $50.625 per month for AWS Config to record 16,875 configuration items (= 25 accounts X 15 resources X 3 Regions X 15 configuration state changes per resource per Region per account) at the rate of $0.003 per configuration item. 
  • $10.00 per month for AWS Config to perform 10,000 rule evaluations (= 5 guardrails X 2,000 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $22.50 for AWS Config to record 5,625 configuration items and 5,625 rule evaluations (= 25 accounts X 15 resources X 3 Regions X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). In addition, your management account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. 

You can refer to the pricing pages for individual AWS services for details.

Pricing example 4: Customer with ephemeral workloads on AWS

In addition to the examples above related to AWS Control Tower setup and profile use, customers with significant ephemeral workloads may see an increase in AWS Config costs.

An ephemeral workload is a temporary use of computing resources, which are loaded and run when needed. Examples include EC2 spot instances, Amazon EMR jobs, and AWS Auto Scaling. If you are running ephemeral workloads from accounts in AWS Control Tower, you may see an increase in costs from AWS Config as it records configuration changes associated with creating and deleting these temporary resources.

With AWS Config, you are charged based on the number of:

  • Configuration items recorded.
  • Active AWS Config rule evaluations.
  • Conformance pack evaluations in your account.

You pay $0.003 per configuration item recorded in your AWS account per AWS Region. A configuration item (CI) is recorded whenever a resource undergoes a configuration change or a relationship change. The resource could be an AWS, third party, or custom resource. A relationship defines how a resource is related to other resources within an AWS account. If you are running ephemeral workloads, such as EC2 Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. You may see an increase in costs associated with AWS Config.

For each ephemeral workload, the CIs are recorded as follows:
1 CI recorded for generating an ephemeral resource
1 CI recorded for deleting an ephemeral resource
For example, you are generating 10 EC2 resources. To take advantage of unused EC2 capacity, you generate 100 EC2 Spot Instances and 100 Auto Scaling resources to scale up and down, for each account, for each AWS Region, 10 times in 24 hours.

Number of CI Recorded for ephemeral workloads:
For EC2 Spot Instance:
100 EC2 Spot Instances for scaling up at any time during a 24-hour period = 100 CIs
100 EC2 Spot Instances for scaling down at any time during a 24-hour period = 100 CIs
Total CIs generated = (100 +100) * 10 times in 24 hours = 2000 CIs for each account, for each Region in 24 hours

For AWS Auto Scaling:
100 AWS Auto Scaling resources for scaling up at any time during a 24-hour period = 100 CIs
100 AWS Auto Scaling resources for scaling down at any time during a 24-hour period = 100 CIs
Total CIs generated = (100 +100) * 10 times in 24 hours = 2000 CIs for each account, for each Region in 24 hours

Cost of CIs recorded because of ephemeral workload changes:
4000 * 0.003 = $12 for each account, for each Region, per day
Or
$12/day * 31 days = $372 for each account, for each Region, per month

When running resources in Control Tower, there are no additional costs for Control Tower itself. Any additional costs are related to the ephemeral workloads, the changes associated with them, and the CIs generated by AWS Config. Ephemeral workloads are priced the same by AWS Config, in or outside Control Tower.

Please see Config pricing for details. Contact your AWS account representative for more specific information about managing these costs.

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Economics Resource Center

Additional resources for switching to AWS

Next-Steps-Icon_Product-page
Get an overview of AWS Control Tower
See overview 
Next-Steps-Icon_Tutorial
Discover AWS Control Tower features
Learn more 
AWS Marketplace
Discover solutions for AWS Control Tower on AWS Marketplace
Learn more