There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC), based on your usage of these services. You only pay for what you use, as you use it.

For example, if you edit the AWS Control Tower account factory configuration to enable public subnets when provisioning a new account, then account factory will configure Amazon VPC to create a NAT Gateway, and you will be billed for your usage by Amazon VPC. The following examples show how AWS Control Tower can influence the cost you incur by enabling other services.

Pricing example 1: Setting up AWS Control Tower

You set up AWS Control Tower with your home Region in the US East (N. Virginia) AWS Region. You do not apply any strongly recommended or elective guardrails, or create new accounts using account factory.

When you first set up AWS Control Tower in your master account, it provisions an account factory, creates 2 shared accounts (log archive and audit), and applies mandatory preventive and detective guardrails. The preventive guardrails, implemented as Service control policies (SCPs), are enforced globally, while the detective guardrails, implemented as AWS Config rules, are enabled in all AWS Regions that AWS Control Tower is currently available in.

Your master account is billed the following for activities related to AWS Control Tower:

  • A one-time charge of $0.033, that includes $0.009 for AWS Config to initially record 3 configuration items, at the rate of $0.003 per configuration item, and $0.002 for AWS Config to evaluate 2 rules, at the rate of $0.001 per evaluation (for the first 100,000 evaluations), with both charges related to the Amazon S3 bucket in the log-archive account, and $0.022 for AWS CloudTrail to record 1,100 events during the landing zone creation, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (8 API calls recorded to create a new portfolio, create the account factory product, and associate permissions), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. For example, you are charged $0.023 per GB for Amazon S3 to store your log-archive bucket.

You can refer to the pricing pages for individual AWS services for details. 

Pricing example 2: Customer with a smaller usage profile on AWS

After setting up your landing zone in pricing example #1, you provision 10 new accounts for use by your teams, and you create 5 resources in each new account. In accordance with your business policies, you decide to host resources and run operations in a single AWS Region, for example, US East (N. Virginia), and you do not operate in any other AWS Region. You also enable 2 strongly-recommended preventive guardrails on your new accounts.

Your master account is billed for the following activities related to AWS Control Tower:

  • A one-time charge of $0.31, that includes $0.15 for AWS Config to record 50 configuration items (= 10 accounts X 5 resources X 1 Region) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item), and $0.16 for AWS CloudTrail to record 8,000 events when AWS Control Tower enables 2 preventive guardrails and account factory provisions 10 new accounts, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (100 API calls recorded when account factory provisions 10 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly-recommended detective guardrails in all 10 accounts and across all Regions where Control Tower is currently available. In addition, each of your resources undergoes 10 configuration state changes per month, and each strongly-recommended detective guardrail invokes a total of 250 rule evaluations per month across all your accounts. You continue to host resources and run operations in the US East (N. Virginia) Region.

Your master account is billed $3.75 per month for the following activities related to AWS Control Tower:

  • $1.50 per month for AWS Config to record 500 configuration items (= 10 accounts X 5 resources X 1 Region X 10 configuration state changes per resource per Region per account), at the rate of $0.003 per configuration item, 
  • $1.25 per month for AWS Config to perform 1,250 rule evaluations (= 5 guardrails X 1 Region X 250 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $1.00 for AWS Config to record 250 configuration items and 250 rule evaluations (=10 accounts X 5 resources X 1 Region X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). 

In addition, your master account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

You can refer to the pricing pages for individual AWS services for details.

Pricing example 3: Customer with a larger usage profile on AWS

After setting up your landing zone in pricing example #1, you provision 25 new accounts for use by your teams, and, in each new account, you create 15 resources in each Region that you operate in. In accordance with your business policies, you decide to host resources and run operations in 3 AWS Regions – for example, your home Region of US East (N. Virginia), and 2 other Regions, US East (Ohio) and Europe (Ireland), and you do not operate in any other AWS Region. You also enable 2 strongly-recommended preventive guardrails on your new accounts.

Your master account is billed the following for activities related to AWS Control Tower:

  • A one-time charge of $3.775, that includes $3.375 for AWS Config to record 1,125 configuration items (= 25 accounts X 15 resources X 3 Regions) at the rate of $0.003 per configuration item (assuming that each resource creates 1 configuration item), and $0.40 for AWS CloudTrail to record 20,000 events when AWS Control Tower enables 2 preventive guardrails and account factory provisions 25 new accounts, at the rate of $2.00 per 100,000 management events.
  • Additional applicable charges for resources such as AWS CloudTrail, AWS Service Catalog (250 API calls recorded when account factory provisions 25 new accounts), Amazon CloudWatch, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts.

After provisioning new accounts and creating resources in the accounts, you enable 5 strongly-recommended detective guardrails in all 25 accounts and across all Regions where Control Tower is available. In addition, each of your resources undergoes 15 configuration state changes per month, and each strongly-recommended detective guardrail invokes a total of 2,000 rule evaluations per month across all your accounts and in all Regions that you operate in. You continue to host resources and run operations in the US East (N. Virginia), US East (Ohio) and Europe (Ireland) Regions.

Your master account is billed $60.625 per month for activities related to AWS Control Tower:

  • $50.625 per month for AWS Config to record 16,875 configuration items (= 25 accounts X 15 resources X 3 Regions X 15 configuration state changes per resource per Region per account) at the rate of $0.003 per configuration item. 
  • $10.00 per month for AWS Config to perform 10,000 rule evaluations (= 5 guardrails X 2,000 rule evaluations per guardrail) at the rate of $0.001 per evaluation (for the first 100,000 evaluations).

You will also incur a one-time charge of $22.50 for AWS Config to record 5,625 configuration items and 5,625 rule evaluations (= 25 accounts X 15 resources X 3 Regions X 5 guardrails, for both) when the guardrails initially evaluate the resources in your accounts (assuming that each resource creates 1 configuration item). In addition, your master account is billed for additional applicable charges for resources such as AWS CloudTrail, Amazon CloudWatch, AWS Service Catalog, Amazon S3, Amazon SNS, AWS Config, and other services depending on your activity in all your accounts. 

You can refer to the pricing pages for individual AWS services for details.

Additional pricing resources

TCO Calculator

Calculate your total cost of ownership (TCO)

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Economics Resource Center

Additional resources for switching to AWS

Next-Steps-Icon_Product-page
Get an overview of AWS Control Tower
See overview 
Next-Steps-Icon_Tutorial
Discover AWS Control Tower features
Learn more 
AWS Marketplace
Discover solutions for AWS Control Tower on AWS Marketplace
Learn more