AWS Cloud Operations Blog
Cost Optimization recommendations for AWS Config
In this post, we’ll walk you through the various best practices and recommendations for optimizing AWS Config costs. This also provides technical guidance for looking at the rules and the recorder, how to start deleting or removing rules that aren’t needed, and then editing the Settings of Config, specifically the “Resource types to record”, to those for which you need the most protection
Cost optimization is one of the pillars of AWS Well-Architected Framework (AWS WAF), and it’s a continual process of refinement and improvement over the span of a workload’s lifecycle. AWS enables you to take control of cost and continuously optimize the spend, while building modern, scalable applications to meet your needs. Customers have many options within AWS to help them reduce costs, as well as building applications that use resources more effectively. AWS is dedicated to helping customers achieve the highest saving potential by offering extensive service and pricing options provide the flexibility to effectively manage costs while still maintaining the required performance and capacity.
AWS Config pricing
With AWS Config, you are charged based on the following:
- The number of configuration items recorded
A configuration item is a record of the configuration state of a resource in your AWS account.
- The number of active AWS Config rule evaluations (every time a rule is evaluated).
- The number of conformance pack evaluations in your account.
You can find detailed AWS Config pricing examples here.
How to identify the resources with the most configuration changes in AWS Config
To reduce the costs for AWS Config, you must identify which resources are contributing to your AWS Config spend.
- You can also use Amazon CloudWatch metrics to verify your setup and understand your usage of AWS Config.
- You can also use Amazon Athena to understand your usage of AWS Config. Follow this blog post that provides steps to create Amazon Athena queries for you to find out the top resources contributing to your AWS Config costs.
Possible opportunities for optimizing AWS Config costs
- Consider recording only specific Resource Types that you would like to track based on the compliance and security requirement. Follow the steps here to record specific resource types.
- Record global resources such as AWS Identity and Access Management (IAM) resources only in required Region. Deploying controls (rules) to evaluate IAM in one AWS Region is sufficient to get the compliance state of the IAM resources. For this reason, you can avoid deploying IAM controls in all AWS Regions.
-
- From the AWS Config console page, select Settings from the left-hand side menu.
- Click on Edit and unselect the checkbox “Include global resources” as shown in Figure 2: Settings – Include global resources
- Data retention period by default is set to seven years, but you can change it to any period that fits your compliance needs.
-
- From the AWS Config console page, select Settings from the left-hand side menu.
- Click on Edit and select “Set a custom retention period for configuration items recorded by AWS Config” under Data retention period section as shown in Figure 3: Settings – Data retention period and change Custom data retention period (days) as per your compliance needs.
- Set lifecycle policies for the Amazon Simple Storage Service (Amazon S3) bucket configured for the delivery method of AWS Config.
- Avoid the duplication of rules by customizing AWS Conformance packs.
A Conformance Pack Sample Templates might contain the same rules as another sample conformance pack. This duplication can happen if you’re using a security standard from AWS Security Hub, too.
For example, the PCI DSS Standard enables a rule to check that AWS CloudTrail is enabled [PCI.CloudTrail.2]. That control is present in many of the sample conformance pack templates. If Security Hub is already evaluating that control, then you should remove it from the conformance pack.
- Ensure judicious usage of DeleteResults and Re-evaluate rules functionalities for your config rules to avoid spike in AWS Config billing.
Whenever you Delete results (DeleteEvaluationResults API) and Re-evaluate (StartConfigRulesEvaluation API) a config rule there will be new configuration item created for this resource type to record the latest compliance state. This could impact your AWS Config configuration item recording costs if these actions are called on a frequent basis. Follow the steps here to understand how to Delete results and here to Re-evaluate.
- AWS Config rules are triggered based on the Trigger Types. The following are the trigger types supported by AWS Config Rules:-
-
- Period Changes
- Period Changes
Rules with Trigger Type – Period Changes are evaluated in the specified Frequency. Therefore, choosing high value (24 Hours – maximum) will reduce the frequency between subsequent rule evaluations and thus reduce the Costs incurred due to the evaluation of these Rules.
-
- Configuration Changes
First, you must understand when a Rule will be evaluated if the Trigger type is set to “Configuration Changes” and how the Configuration Items (CI) are generated. AWS Config records changes that occur not only for the support resources, but also for the resources that are related to the supported resources. Therefore, when there are more configuration changes to the “supported” resources and/ or the “related” resources, more CIs will be generated and ultimately lead to more costs.
AWS Budget Alerts are very useful for being notified if the actual or forecast monthly costs go above a predefined threshold. Importantly, this is done for each service independently, so changes are easier to spot. Refer here to get more information regarding the configuring of AWS Budget alerts.
This continuously monitors your costs to detect unusual spend. This helps overcome a reliance on budget alerts, like in accounts with big spend, where an increase in one area could be dwarfed by the normal variation in spend across the entire account. Refer here for more information. You can select the “Linked Account” option under Monitor types of “Cost Anomaly Detection” to monitor the total spend for all of the accounts using AWS Config.
Conclusion
In this post, we demonstrated how to optimize your AWS Config configurations to help you control costs while maintaining audit and evaluation needs in place. Choosing the right configuration for your resource can impact your cost optimization. Hopefully this post has highlighted some options to help with AWS Config best practices and recommendations regarding cost optimization.
About the authors: