How to reduce your AWS Config bill for volatile workloads

Posted on by admin
How to reduce your AWS Config bill
06
Aug

Your AWS bill is mostly based on usage, which is great. The more you use it, the more you pay. When usage increases by 50%, the AWS bill grows by 50% as well. But lately, I realized that something odd was happening. In this blog post, I share my story about an ever-growing AWS bill caused by AWS Config and a trick to reduce your AWS Config bill.

For more than a year, each month, I receive a budget alert for the AWS account that hosts our event-driven AWS Monitoring solution called marbot. The following figure shows the latest alert from July 2025.

For a long time, I accepted that I was spending more than what I defined in my budget years ago. This month, I investigated the bill increase and discovered something interesting.

Checking my AWS bill

I use AWS Cost Explorer to understand my AWS costs. The following figure shows the AWS costs for the last 12 months:

As I said, the AWS bill should somehow reflect the usage pattern of the workload. As an approximation, I used the number of alerts created by marbot to check the usage of our service against the AWS bill.

The number of alerts grew by 33%, from 120k to 160k, in the last 12 months. The AWS bill increased by 20% from $350 to $419. At the first glance, that looks great.

Investigating the Cost Spike

But by looking closer, one service has a significant increase in costs: AWS Config.

AWS Config costs increased by 1400% from $6 to $90.

Root Cause Analysis

Luckily, AWS Cost Explorer allows me to drill down into the AWS Config costs by grouping by Usage Type which quickly revealed that most of the costs are associated with usage type ConfigurationItemRecorded.

I had two questions:

  1. Why are there so many more configuration changes recorded?
  2. How can I reduce the recorded configuration changes?

We ship AWS config data to a centralized S3 bucket so I executed a bunch of Athena queries shared by AWS to learn that most of the changes are caused by AWS Fargate. When you launch a task, an ENI is created, which causes 4 changes to be recorded (ENI, VPC, subnet, security group). 4 AWS Config changes cost $0.012. Running a Fargate task for 1 minute costs $0.0008 (1 vCPU with 2 GB memory). In other words, I pay more for AWS Config than for Fargate which is crazy 🙂

You might ask, why use AWS Config at all? The answer is simple: Our ISO 27001 audit depends on AWS Security Hub, which depends on AWS Config.

AWS Config cost optimization

So the final question remains: How to reduce the changes recorded by AWS Config while still keeping Security Hub happy? The answer is simple: Switch from recording frequency continuous to daily.

The following CloudFormation snippet changes the frequency:

ConfigurationRecorder:
   Type: 'AWS::Config::ConfigurationRecorder'
   Properties:
     [...]
     RecordingMode:
       RecordingFrequency: DAILY

As you can see, my AWS Config costs are close to zero after applying the change on July 23rd. This will save me around $90 per month or $1080 per year. A fun and worthwhile time investment.

Summary

AWS Config is adding more and more resource types that it records. Therefore, your AWS Config bill is likely increasing over time as well. Besides that, volatile workloads create and delete resources that are recorded by AWS Config. For example, an Auto Scaling Group to manage a fleet of Spot EC2 instances or the Fargate tasks example from above.

The daily recording frequency approach I shared in this blog post will help you to reduce your AWS Config bill in volatile AWS environments. The downsides:

  • Not all changes will be captured by AWS Config. Lucky me, I also have AWS CloudTrail enabled, which captures all API activity.
  • Changes recorded in daily mode are 300% more expensive, $0.012 instead of $0.003. If your workloads are not volatile you might spend more!
Read more:

Articles on the same topic: