There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory controls. While some AWS services, such as AWS Organizations and AWS IAM Identity Center, come at no additional charge, you will pay for services, such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (Amazon SNS), Amazon Simple Storage Service (Amazon S3), and Amazon Virtual Private Cloud (Amazon VPC), based on your usage of these services. You only pay for what you use, as you use it.

For example, if you edit the AWS Control Tower account factory configuration to enable public subnets when provisioning a new account, then account factory will configure Amazon VPC to create a NAT Gateway, and you will be billed for your usage by Amazon VPC. The following examples show how AWS Control Tower can influence the cost you incur by enabling other services.

If you are running ephemeral workloads from accounts in AWS Control Tower, you may see an increase in costs from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling.

Please see AWS Config pricing for details. Contact your AWS account representative for more specific information about managing these costs.

Pricing example 1: Setting up AWS Control Tower

You set up AWS Control Tower with your home AWS Region in the US East (N. Virginia). You do not apply any optional controls or create new accounts using account factory.

When you first set up AWS Control Tower in your management account, it provisions an account factory, creates 2 shared accounts (log archive and audit), and applies mandatory preventive and detective controls. The preventive controls, implemented as service control policies (SCPs), are enforced globally, while the detective controls, implemented as AWS Config rules, are enabled in all Regions that AWS Control Tower is currently available in.

Your management account is billed the following for activities related to AWS Control Tower:

  • A one-time charge of $0.033 is billed, which includes $0.009 for AWS Config to initially record 3 configuration items, at the rate of $0.003 per configuration item, and $0.002 for AWS Config to evaluate 2 rules, at the rate of $0.001 per evaluation (for the first 100,000 evaluations), with both charges related to the Amazon S3 bucket in the log archive account. $0.022 is charged for AWS CloudTrail to record 1,100 events during the landing zone creation, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges are billed for resources such as AWS CloudTrail, AWS Service Catalog (8 API calls recorded to create a new portfolio, create the account factory product, and associate permissions), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. For example, you are charged $0.023 per GB for Amazon S3 to store your log archive bucket.

You can refer to the pricing pages for individual AWS services for details. 

Pricing example 2: Customer with a smaller usage profile on AWS

After setting up your landing zone in pricing example #1, you provision 10 new accounts for use by your teams and create 5 resources in each new account. In accordance with your business policies, you decide to host resources and run operations in a single Region, for example, US East (N. Virginia), and you do not operate in any other Region. You also enable 2 strongly recommended preventive controls on your new accounts.

Your management account is billed for the following activities related to AWS Control Tower:

  • A one-time charge of $0.31 is billed, which includes $0.15 for AWS Config to record 50 configuration items (= 10 accounts X 5 resources X 1 Region) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item). $0.16 is charged for AWS CloudTrail to record 8,000 events when AWS Control Tower enables 2 preventive controls and account factory provisions 10 new accounts, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges are billed for resources such as AWS CloudTrail, AWS Service Catalog (100 API calls recorded when account factory provisions 10 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly recommended detective controls in all 10 accounts and across all Regions where AWS Control Tower is currently available. In addition, each of your resources undergoes 10 configuration state changes per month, and each strongly recommended detective control invokes a total of 250 rule evaluations per month across all your accounts. You continue to host resources and run operations in the US East (N. Virginia) Region.

Your management account is billed $3.75 per month for the following activities related to AWS Control Tower:

  • $1.50 per month is billed for AWS Config to record 500 configuration items (= 10 accounts X 5 resources X 1 Region X 10 configuration state changes per resource per Region per account), at the rate of $0.003 per configuration item. 
  • $1.25 per month is billed for AWS Config to perform 1,250 rule evaluations (= 5 controls X 1 Region X 250 rule evaluations per control), at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $1.00 for AWS Config to record 250 configuration items and 250 rule evaluations (= 10 accounts X 5 resources X 1 Region X 5 controls, for both) when the controls initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). 

In addition, your management account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

You can refer to the pricing pages for individual AWS services for details.

Pricing example 3: Customer with a larger usage profile on AWS

After setting up your landing zone in pricing example #1, you provision 25 new accounts for use by your teams and, in each new account, you create 15 resources in each Region that you operate in. In accordance with your business policies, you decide to host resources and run operations in 3 Regions—for example, your home Region of US East (N. Virginia) and 2 other Regions in US East (Ohio) and Europe (Ireland), and you do not operate in any other Region. You also enable 2 strongly recommended preventive controls on your new accounts.

Your management account is billed the following for activities related to AWS Control Tower:

  • A one-time charge of $3.775 is billed, which includes $3.375 for AWS Config to record 1,125 configuration items (= 25 accounts X 15 resources X 3 Regions) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item). $0.40 is charged for AWS CloudTrail to record 20,000 events when AWS Control Tower enables 2 preventive controls and account factory provisions 25 new accounts, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges are billed for resources such as AWS CloudTrail, AWS Service Catalog (250 API calls recorded when account factory provisions 25 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly recommended detective controls in all 25 accounts and across all Regions where AWS Control Tower is available. In addition, each of your resources undergoes 15 configuration state changes per month, and each strongly recommended detective control invokes a total of 2,000 rule evaluations per month across all your accounts and in all Regions that you operate in. You continue to host resources and run operations in the US East (N. Virginia), US East (Ohio), and Europe (Ireland) Regions.

Your management account is billed $60.625 per month for activities related to AWS Control Tower:

  • $50.625 per month is billed for AWS Config to record 16,875 configuration items (= 25 accounts X 15 resources X 3 Regions X 15 configuration state changes per resource per Region per account) at the rate of $0.003 per configuration item. 
  • $10.00 per month is billed for AWS Config to perform 10,000 rule evaluations (= 5 controls X 2,000 rule evaluations per control) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $22.50 for AWS Config to record 5,625 configuration items and 5,625 rule evaluations (= 25 accounts X 15 resources X 3 Regions X 5 controls, for both) when the controls initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). In addition, your management account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. 

You can refer to the pricing pages for individual AWS services for details.

Pricing example 4: Customer with ephemeral workloads on AWS

In addition to the examples above related to AWS Control Tower setup and profile use, customers with significant ephemeral workloads may see an increase in AWS Config costs.

An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon EC2 Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. If you are running ephemeral workloads from accounts in AWS Control Tower, you may see an increase in costs from AWS Config as it records configuration changes associated with creating and deleting these temporary resources.

With AWS Config, you are charged based on the number of the following:

  • Configuration items recorded
  • Active AWS Config rule evaluations
  • Conformance pack evaluations in your account

You pay $0.003 per configuration item recorded in your AWS account per AWS Region. A configuration item (CI) is recorded whenever a resource undergoes a configuration change or a relationship change. The resource could be an AWS, third-party, or custom resource. A relationship defines how a resource is related to other resources within an AWS account. If you are running ephemeral workloads, such as Amazon EC2 Spot Instances, Amazon EMR jobs, and AWS Auto Scaling, you may see an increase in costs associated with AWS Config.

For each ephemeral workload, the CIs are recorded as follows:
1 CI recorded for generating an ephemeral resource
1 CI recorded for deleting an ephemeral resource
For example, you are generating 10 EC2 resources. To take advantage of unused EC2 capacity, you generate 100 EC2 Spot Instances and 100 AWS Auto Scaling resources to scale up and down, for each account, for each AWS Region, 10 times in 24 hours.

Number of CI recorded for ephemeral workloads:
For Amazon EC2 Spot Instance:
100 Amazon EC2 Spot Instances for scaling up at any time during a 24-hour period = 100 CIs
100 Amazon EC2 Spot Instances for scaling down at any time during a 24-hour period = 100 CIs
Total CIs generated = (100 + 100) * 10 times in 24 hours = 2000 CIs for each account, for each Region in 24 hours

For AWS Auto Scaling:
100 AWS Auto Scaling resources for scaling up at any time during a 24-hour period = 100 CIs
100 AWS Auto Scaling resources for scaling down at any time during a 24-hour period = 100 CIs
Total CIs generated = (100 +100) * 10 times in 24 hours = 2000 CIs for each account, for each Region in 24 hours

Cost of CIs recorded because of ephemeral workload changes:
4000 * 0.003 = $12 for each account, for each Region, per day
Or
$12/day * 31 days = $372 for each account, for each Region, per month

When running resources in AWS Control Tower, there are no additional costs for AWS Control Tower itself. Any additional costs are related to the ephemeral workloads, the changes associated with them, and the CIs generated by AWS Config. Ephemeral workloads are priced the same by AWS Config, in or outside AWS Control Tower.

Please see AWS Config pricing for details. Contact your AWS account representative for more specific information about managing these costs.

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote