AWS Control Tower pricing

You set up AWS Control Tower with your home Region in the US East (N. Virginia) AWS Region. You do not apply any strongly recommended or elective guardrails, or create new accounts using account factory.

When you first set up AWS Control Tower in your management account, it provisions an account factory, creates 2 shared accounts (log archive and audit), and applies mandatory preventive and detective guardrails. The preventive guardrails, implemented as service control policies (SCPs), are enforced globally, while the detective guardrails, implemented as AWS Config rules, are enabled in all AWS Regions that AWS Control Tower is currently available in.

Your management account is billed the following for activities related to AWS Control Tower:

• A one-time charge of $0.033, which includes $0.009 for AWS Config to initially record 3 configuration items, at the rate of $0.003 per configuration item, and $0.002 for AWS Config to evaluate 2 rules, at the rate of $0.001 per evaluation (for the first 100,000 evaluations), with both charges related to the Amazon S3 bucket in the log-archive account, and $0.022 for AWS CloudTrail to record 1,100 events during the landing zone creation, at the rate of $2.00 per 100,000 management events.
• Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (8 API calls recorded to create a new portfolio, create the account factory product, and associate permissions), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. For example, you are charged $0.023 per GB for Amazon S3 to store your log-archive bucket.
  

You can refer to the pricing pages for individual AWS services for details. 

After setting up your landing zone in pricing example #1, you provision 10 new accounts for use by your teams, and you create 5 resources in each new account. In accordance with your business policies, you decide to host resources and run operations in a single AWS Region, for example, US East (N. Virginia), and you do not operate in any other AWS Region. You also enable 2 strongly-recommended preventive guardrails on your new accounts.

Your management account is billed for the following activities related to AWS Control Tower:

• A one-time charge of $0.31, which includes $0.15 for AWS Config to record 50 configuration items (= 10 accounts X 5 resources X 1 Region) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item), and $0.16 for AWS CloudTrail to record 8,000 events when AWS Control Tower enables 2 preventive guardrails and account factory provisions 10 new accounts, at the rate of $2.00 per 100,000 management events.
• Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (100 API calls recorded when account factory provisions 10 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly-recommended detective guardrails in all 10 accounts and across all Regions where Control Tower is currently available. In addition, each of your resources undergoes 10 configuration state changes per month, and each strongly-recommended detective guardrail invokes a total of 250 rule evaluations per month across all your accounts. You continue to host resources and run operations in the US East (N. Virginia) Region.

Your management account is billed $3.75 per month for the following activities related to AWS Control Tower:

• $1.50 per month for AWS Config to record 500 configuration items (= 10 accounts X 5 resources X 1 Region X 10 configuration state changes per resource per Region per account), at the rate of $0.003 per configuration item. 
• $1.25 per month for AWS Config to perform 1,250 rule evaluations (= 5 guardrails X 1 Region X 250 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $1.00 for AWS Config to record 250 configuration items and 250 rule evaluations (= 10 accounts X 5 resources X 1 Region X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). 

In addition, your management account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

You can refer to the pricing pages for individual AWS services for details.

After setting up your landing zone in pricing example #1, you provision 25 new accounts for use by your teams, and, in each new account, you create 15 resources in each Region that you operate in. In accordance with your business policies, you decide to host resources and run operations in 3 AWS Regions — for example, your home Region of US East (N. Virginia), and 2 other Regions, US East (Ohio) and Europe (Ireland), and you do not operate in any other AWS Region. You also enable 2 strongly-recommended preventive guardrails on your new accounts.

Your management account is billed the following for activities related to AWS Control Tower:

• A one-time charge of $3.775, which includes $3.375 for AWS Config to record 1,125 configuration items (= 25 accounts X 15 resources X 3 Regions) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item), and $0.40 for AWS CloudTrail to record 20,000 events when AWS Control Tower enables 2 preventive guardrails and account factory provisions 25 new accounts, at the rate of $2.00 per 100,000 management events.
• Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (250 API calls recorded when account factory provisions 25 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly-recommended detective guardrails in all 25 accounts and across all Regions where Control Tower is available. In addition, each of your resources undergoes 15 configuration state changes per month, and each strongly-recommended detective guardrail invokes a total of 2,000 rule evaluations per month across all your accounts and in all Regions that you operate in. You continue to host resources and run operations in the US East (N. Virginia), US East (Ohio) and Europe (Ireland) Regions.

Your management account is billed $60.625 per month for activities related to AWS Control Tower:

• $50.625 per month for AWS Config to record 16,875 configuration items (= 25 accounts X 15 resources X 3 Regions X 15 configuration state changes per resource per Region per account) at the rate of $0.003 per configuration item. 
• $10.00 per month for AWS Config to perform 10,000 rule evaluations (= 5 guardrails X 2,000 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).
  

You will also incur a one-time charge of $22.50 for AWS Config to record 5,625 configuration items and 5,625 rule evaluations (= 25 accounts X 15 resources X 3 Regions X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). In addition, your management account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. 

You can refer to the pricing pages for individual AWS services for details.