Cost Optimization recommendations for AWS Config

In this post, we’ll walk you through the various best practices and recommendations for optimizing AWS Config costs. This also provides technical guidance for looking at the rules and the recorder, how to start deleting or removing rules that aren’t needed, and then editing the Settings of Config, specifically the “Resource types to record”, to those for which you need the most protection

Cost optimization is one of the pillars of AWS Well-Architected Framework (AWS WAF), and it’s a continual process of refinement and improvement over the span of a workload’s lifecycle. AWS enables you to take control of cost and continuously optimize the spend, while building modern, scalable applications to meet your needs. Customers have many options within AWS to help them reduce costs, as well as building applications that use resources more effectively. AWS is dedicated to helping customers achieve the highest saving potential by offering extensive service and pricing options provide the flexibility to effectively manage costs while still maintaining the required performance and capacity.

AWS Config pricing

With AWS Config, you are charged based on the following:

1) The number of configuration items recorded

A configuration item is a record of the configuration state of a resource in your AWS account.

2) The number of active AWS Config rule evaluations (every time a rule is evaluated).

3) The number of conformance pack evaluations in your account.

You can find detailed AWS Config pricing examples here.

How to identify the resources with the most configuration changes in AWS Config

To reduce the costs for AWS Config, we must identify which resources are contributing to the AWS Config spend.

1) You can also use Amazon CloudWatch metrics to verify your setup and understand your usage of AWS Config.

a) Create a CloudWatch dashboard to show the top 10 AWS Config resource types that have a high volume of configuration items using the steps mention in this blog

Figure 1: Amazon CloudWatch graph showing top 10 configuration items recorded

b) Under the Resource type section, select the pull-down list and select the resource types you would like to exclude from being recorded by AWS Config. In this list, you can select multiple resource types to be excluded.

Based on the CloudWatch dashboard, we will look into the solution to save costs for these top configuration items being captured.

• Global Resources
• Recording Frequency
• Exclusion of Resources

2) Here is the post which demonstrates the steps to create Amazon Athena queries to find out the top resources contributing to the AWS Config costs.

Possible opportunities for optimizing AWS Config costs

Global Resources

If you are recording global resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User), you should only deploy AWS Config rules and conformance packs that have these global resources in scope in one of the supported Regions to avoid unnecessary evaluations and API throttling. Global resource types onboarded to AWS Config recording after February 2022 will be recorded only in the service’s home Region for the commercial partition and AWS GovCloud (US-West) for the AWS GovCloud (US) partition. For more information, you may refer this documentation.

Check this with global resources in CloudWatch metrics and confirm you are only recording in one region

Recording Frequency

AWS Config supports continuous and daily configuration recording. Continuous recording enables continuous capture of resource configuration changes as they occur. Daily recording provides a configuration snapshot once per day, but only if there are differences compared to the previous day’s configuration. Daily recording can provide you with the flexibility to record changes to your resources at a lower frequency, which can reduce costs related to the number of configuration changes recorded.

Resources

You can either include or exclude the resources based on your compliance requirement.

1. Exclusion of Resources

Exclude the resources that you do not require to record. Also, consider changing the recording frequency to “Daily recording” as shown in the Figure 2.

Figure 2 : Settings – Exclude resources from recording

• When reviewing Figure 3, customers may opt to exclude “ResourceCompliance” from the top resource types visualized. This resource type often ranks high in the CloudWatch dashboard due to a large volume of rule evaluations.
• As show in Figure 1, you can add “ResourceCompliance” under exclusion, which was captured by your CloudWatch metric showing the top resource types with the most configuration items

Figure 3: Exclude “ResourceCompliance” captured as part of CloudWatch dashboard settings from figure 1

• You can notice change in the configuration items recorded for “ResourceCompliance” after excluding from recording as shown in Figure 4.

Figure 4: Updated CloudWatch dashboard after excluding “ResourceCompliance”

• If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling.

Inclusion of Resources

Consider recording only specific Resource Types that you would like to track based on the compliance and security requirement. Follow the steps here to record specific resource types. You can change the frequency of the “Resource Type” to either Daily or Continuous based on the compliance requirement.

Figure 5: Settings – Record specific resource type

• Set lifecycle policies for the Amazon Simple Storage Service (Amazon S3) bucket configured for the delivery method of AWS Config.
• Avoid the duplication of rules by customizing Conformance packs.

A Conformance Pack Sample Templates might contain the same rules as another sample conformance pack. This duplication can happen if you’re using a security standard from AWS Security Hub, too.

For example, the PCI DSS Standard enables a rule to check that AWS CloudTrail is enabled [PCI.CloudTrail.2]. That control is present in many of the sample conformance pack templates. If Security Hub is already evaluating that control, then you should remove it from the conformance pack.

Rule Evaluations

• Ensure judicious usage of DeleteResults and Re-evaluate rules functionalities for your config rules to avoid spike in AWS Config billing.
  Whenever you Delete results (DeleteEvaluationResults API) and Re-evaluate (StartConfigRulesEvaluation API) a config rule there will be new configuration item created for this resource type to record the latest compliance state. This could impact your AWS Config configuration item recording costs if these actions are called on a frequent basis. Follow the steps here to understand how to Delete results and here to Re-evaluate.

Figure 6: Re-evaluate and Delete results

Be careful with choosing all resource types

• AWS Config rules are triggered based on the Trigger Types. The following are the trigger types supported by AWS Config Rules:- This needs to be done based on your compliance requirements.
• Pricing for evaluation work. Evaluations per resource type per rule. If there are 50 resources attached to a rule , then that is 50 evaluations

1. Periodic

Rules with Trigger Type – Periodic are evaluated in the specified Frequency. Therefore, choosing high value (24 Hours – maximum) will reduce the frequency between subsequent rule evaluations and thus reduce the Costs incurred due to the evaluation of these Rules.

2. Configuration Changes

First, you must understand when a Rule will be evaluated if the Trigger type is set to “Configuration Changes” and how the Configuration Items (CI) are generated. AWS Config records changes that occur not only for the support resources, but also for the resources that are related to the supported resources. Therefore, when there are more configuration changes to the “supported” resources and/ or the “related” resources, more CIs will be generated and ultimately lead to more costs.

Services to leverage for proactive monitoring of AWS Config Spend

AWS Budgets

AWS Budget Alerts are very useful for being notified if the actual or forecast monthly costs go above a predefined threshold. Importantly, this is done for each service independently, so changes are easier to spot. Refer here to get more information regarding the configuring of AWS Budget alerts.

AWS Cost Anomaly Detection

This continuously monitors your costs to detect unusual spend. This helps overcome a reliance on budget alerts, like in accounts with big spend, where an increase in one area could be dwarfed by the normal variation in spend across the entire account. Refer here for more information. You can select the “Linked Account” option under Monitor types of “Cost Anomaly Detection” to monitor the total spend for all of the accounts using AWS Config.

Conclusion

In this post, we demonstrated how to optimize your AWS Config configurations to help you control costs while maintaining audit and evaluation needs in place. Choosing the right configuration for your resource can impact your cost optimization and based on you compliance needs. Hopefully this post has highlighted some options to help with AWS Config best practices and recommendations regarding cost optimization.

Additional resources

To learn more and get started, please refer to the following resources:

1. Customize AWS Config resources tracking in AWS Control Tower
2. AWS Config now supports recording exclusions by resource type

About the authors: