Aws Config Cost Increase


Hello, how are you?

In the last three months, we noticed that AWS Config cost, increased more than 500% in average.

The most usage type agressor was SAE1-ConfigurationItemRecorded. We verified the AWS Config logs, and identified that has a lot of changes in EC2:Subnet, EC2:VPC, EC2:Security Group and EC2:Network interface resource type.

We noticed too, that it's look like, there is some connection between the items records, cost and the variation of the tasks numbers on the ECS cluster, some evidences below.

Enter image description here

Enter image description here

Someone can help me to explain what is the possibe root cause of this cost increase and why suddenly happened?


1 Antwort
Akzeptierte Antwort

As you noted, this is likely due to your ECS workload. Config records every change to your environment. If you are using VPC Networkring mode, this would explain the high number of networking items being recorded in Config. From: From

awsvpc — The task is allocated its own elastic network interface (ENI) and a primary private IPv4 address. This gives the task the same networking properties as Amazon EC2 instances.

So you can see if you have a high volume of containers being spawned/removed, this will contribute to the high volume of Config items being recorded. Also there are relationships in Config which explains the other networking items like subnet, security group, etc. See

As to why it suddenly happened, were any changes made to config or config recorder? Was Control Tower deployed recently? That would enable the config recorder in all governed accounts.

Lastly, check out this post which gives some further info and suggestions

profile pictureAWS
beantwortet vor 2 Jahren
  • Thanks for your reply!

    I noticed that the tasks was allocated with awsvpc, make sense.

    I'm worry too about the cost increase, in March it's about $20, and April and May, exceeded $300.

    Control Tower was not deployed, CloudWatch Container Inisghts, can do this?

  • No its not Container Insights. Looks like config has always been enabled and the cost is directly related to your ECS activity and task count as you've shown in your graphs. You can see every spike in task count corresponds to a spike in config costs. You can change the config recorder to filter out the resources that you don't need or want to record depending on your requirements. See

  • I think that I found it!

    I got the service's PendingTaskCount and RunningTaskCount metrics, I found a task that frequently change status (pending to running, to pending...).

    Coincidentally these changes, correspond to the days with most cost. The recently logs prove this theory too, the task changes many times a day. What do you think?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen