AWS
FinOps

Understanding AWS Config Cost

Yevgeny Pats

Yevgeny Pats

AWS Config gives you a way to assess, evaluate and audit AWS configuration resources with an SQL-like interface. This is super useful, especially when the number of accounts is starting to grow and observability becomes key for governance, security, operations, and cost. But as always, you need to read the fine print, or in this case, the hidden costs of the AWS Config service. In this blog, we will go into how much it costs, how to reduce your costs, and what other 30x cheaper alternative you can explore (Ahem, CloudQuery).

What is AWS Config? #

You can think of AWS Config as a time-series database that ingests resources from AWS APIs (we are talking about configuration metadata), transforms them, and saves them into a data table. In the AWS Config UI, you can then query this table with an SQL-like interface as AWS doesn’t expose the raw database.

AWS Config Pricing #

AWS Config pricing is determined by the number of recorded configuration items and the number of rule and conformance pack evaluations. The more evaluations you perform, the lower the cost per evaluation becomes, which can help manage expenses as your usage increases.
This section provides an overview of how AWS charges for the various components of AWS Config.

Items Recorded #

When using AWS Config, you’ll be charged for recording the configuration items of your resources. There are two modes: continuous and periodic. Continuous mode records change as they happen and cost $0.003 per item. Periodic mode records change at set intervals and cost $0.012 per item.
Resource in Continuous ModeResource in Periodic Mode
$0.003$0.012

Config Rules #

AWS Config uses rules to evaluate your resource configurations. The cost depends on the number of rule evaluations per region. For the first 100,000 evaluations, it costs $0.001 per evaluation. If you have between 100,001 and 500,000 evaluations, the price drops to $0.0008 per evaluation. For anything over 500,000 evaluations, the cost further decreases to $0.0005 per evaluation.
AWS Config rules evaluationsPrice
First 100,000 rule evaluations$0.001 per rule evaluation per region
Next 400,000 rule evaluations (100,001-500,000)$0.0008 per rule evaluation per region
500,001 and more rule evaluations$0.0005 per rule evaluation per region

Conformance Packs #

Conformance packs are collections of AWS Config rules. The pricing for evaluating these packs is similar to the rule evaluations. The first 100,000 evaluations cost $0.001 per evaluation per region. For the next 400,000 evaluations (from 100,001 to 500,000), the cost is $0.0008 per evaluation. If you go beyond 500,000 evaluations, the price is reduced to $0.0005 per evaluation.
Conformance pack evaluationsPrice
First 100,000 conformance pack evaluations$0.001 per conformance pack evaluation per Region
Next 400,000 conformance pack evaluations (100,001-500,000)$0.0008 per conformance pack evaluation per Region
500,001 and more conformance pack evaluations$0.0005 per conformance pack evaluation per Region
So let’s break it down and see how and why it can add up REALLY quickly.

Why AWS Config can get expensive #

Let’s say we are not using any rules; we just use it strictly for observability, so we are only charged for recorded items. Now we have two options: periodic scans or continuous mode.
If we go with periodic, we are charged $0.012/resource (!) or $12 per 1,000 resources (!), just for one scan. Let’s say you run it daily: you are charged $360/month/1000 resources. To put it in perspective, resources can be anything from EC2, S3 bucket to VPC, IP to configuration items. With one million resources (which is not far-fetched for any medium-size companies), you are looking at a $360,000 monthly bill, and this is just to see what resources you have. 💸
So you are saying, wait? You are using AWS Config all wrong - use the continuous mode, it is much cheaper, and it’s all real-time, right? Wrong :) Let’s dive in:
So let’s look at the previous example where we have one million resources. Before starting the continuous mode, AWS Config needs to record the initial snapshot. This will be an initial 0.003*1,000,000=$3,000. It sounds much better than the previous quote. But there is a catch! Now, ANY change done to a resource will cost us $0.003. Using the previous method, we were bound by the number of resources and number of times a month we ran the job. Now, AWS Config is constantly listening to events, from anything like shutting down an EC2 machine to updating a configuration. This can quickly balloon to a million or more changes a day, so let’s do one million changes per day, and we will be looking at $3,000/day or $90,000 a month. Now I don’t want to think about a scenario where a developer had a bug in one of their Terraform or Python scripts that infinitely updates some random VPC settings in one of the accounts :) Or like in this case you have a service that is stuck in a restart loop.
I don't know about you, but for me, a $100,000 to $360,000 per month bill is a lot of money.

Conformance Pack #

To save some time calculating, this will largely be the same as configuration rules.

How to Optimize AWS Config Costs #

So how do we get visibility into what we have in all our AWS accounts in all regions, running SQL queries and not racking up $500k/month bills? There are different ways to exclude some resources or only monitor low-count resources but overall, the stakes will be high as any mistake is costly. And there is really no good way of recording all the data without racking up that bill in AWS Config (at least at the time of writing). But there is another solution: taking a classic data ELT (Extract-Load-Transform) approach with CloudQuery.
With the CloudQuery AWS Plugin you can extract metadata and configuration from more than 1,000 AWS APIs to any supported destinations such as PostgreSQL, Snowflake, BigQuery, DuckDB, MotherDuck and others.
Calling AWS Read APIs doesn’t incur additional cost and writing the database to a data warehouse gives you full SQL control, the ability to connect it to any BI system you have, and in general gives you full flexibility to analyze your data.
CloudQuery solves the problem of analyzing your cloud assets with greater control, and speed, but like anything good in life, it still costs something. So let’s check what costs it will incur:
CloudQuery plugins can run locally on your own Kubernetes or EC2, so it keeps all your data inside your AWS account and doesn’t incur 3rd party cloud or network costs.
CloudQuery plugins are priced by usage and cost $10/million rows. Going back to the previous example, let’s say we have a million resources and we want to sync them daily. This will result in a bill of $10 * 30 = $300/month.
Now let’s add a strong EC2 machine of type c6g.4xlarge with 16 vCPU and 32GB RAM. That will cost approximately $400/month (and this assumes constant usage which is not needed as you can run it for an hour or so just for the time of the sync).
Now let’s add a PostgreSQL RDS db.m4.xlarge with 4vCPU and 16GB RAM with Single AZ that will cost around $330/month. You can also go with something like BigQuery, Snowflake, Aurora, or Neon depending on your query workload, and potentially get the price even lower, as you won’t need the compute up and running and coupled with storage.
Now let’s add all that up, and we get $1300/month. This is a 30x price reduction, including all infrastructure costs, and you have a big room to make the database or ingestion compute stronger if needed.

Summary #

In this post, we showed how much AWS Config can cost and how to get around a 30x price reduction, for more flexible and performant capabilities than AWS Config. Depending on your spending and specific scenario, if similar to this case you will be able to save about $43k/month, or $516k/year. This will allow you to buy (or maybe just to rent) a new Yacht like in this picture:
Or maybe just reinvest it back in your business like in this picture:
Or anything else you think might be useful. Did you like the blog? Give CloudQuery a go here
Want to talk to someone from our team to see how we can help you? Book a call
Want to see step-by-step how to set up a cloud asset inventory for your AWS assets? Check out our post, Building an AWS Cloud Asset Inventory.
Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.

Frequently Asked Questions #

Q: What is AWS Config? A: AWS Config is a service that allows you to assess, evaluate, and audit the configurations of your AWS resources using a SQL-like interface.
Q: How is AWS Config pricing determined? A: AWS Config pricing is based on the number of recorded configuration items and the number of rule and conformance pack evaluations.
Q: What are the costs for recording configuration items in AWS Config? A: In continuous mode, it costs $0.003 per item. In periodic mode, it costs $0.012 per item.
Q: How much do AWS Config rule evaluations cost? A: The first 100,000 evaluations cost $0.001 per evaluation. For evaluations between 100,001 and 500,000, the price drops to $0.0008 per evaluation. For evaluations above 500,000, the cost is $0.0005 per evaluation.
Q: What are conformance packs in AWS Config, and how are they priced? A: Conformance packs are collections of AWS Config rules. The pricing is similar to rule evaluations: $0.001 per evaluation for the first 100,000, $0.0008 for the next 400,000, and $0.0005 for evaluations over 500,000.
Q: Why can AWS Config become expensive? A: AWS Config can become expensive due to the costs associated with recording configuration items and evaluating rules or conformance packs, especially when dealing with a large number of resources or frequent changes.
Q: How can you optimize AWS Config costs? A: You can optimize AWS Config costs by using CloudQuery, which extracts metadata and configuration from AWS APIs and writes them to a data warehouse, significantly reducing costs compared to AWS Config.
Q: What are the benefits of using CloudQuery over AWS Config? A: CloudQuery offers greater control, speed, and flexibility in analyzing cloud assets. It can result in up to a 30x cost reduction, including infrastructure costs, compared to AWS Config.
Yevgeny Pats

Written by Yevgeny Pats

Yevgeny Pats is the Co-Founder & CEO at CloudQuery. Prior to establishing CloudQuery, he successfully founded and exited other startups. He has a background in software engineering and cybersecurity.

Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.