By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can I disable Config in Control Tower?

1

In my Control Tower I have some small projects account that have some EC2/ECS that are periodically (every 1-6 hours) started to do some task and than stopped.

AWS Config costs me a lot more than EC2/ECS itself. For me it is not sustainable.

I state that I have never used AWS Config outside of Control Tower. How can I disable entirely (or at least for EC2/ECS start/stop events) for some (or all accounts) in my Control Tower?

Topics
Management & Governance
Tags
AWS ConfigAWS Control TowerAWS OrganizationsAWS Account Management
Language
English
rePost-User-1158362
asked a year ago2532 views
1 Answer
-1

You have a few options to disable or reduce the cost of AWS Config in your AWS Control Tower:

You can disable AWS Config entirely for specific accounts in your Control Tower by going to the AWS Config dashboard in the AWS Management Console and selecting the account you want to disable it for. Then, click on the "Actions" button and choose "Delete Configuration Recorder."

You can also disable AWS Config for specific resource types, such as EC2 and ECS, in specific accounts. To do this, you can go to the AWS Config dashboard and select the account you want to update. Then, click on the "Settings" button and choose "Resource Types." From there, you can deselect the resource types that you do not want to track with AWS Config.

Lastly, you can use resource tagging to exclude certain resources from being tracked by AWS Config. You can create an AWS Config rule that only applies to resources that have a specific tag, and then tag your EC2 and ECS instances that are periodically started and stopped with this tag.

By using one or a combination of the above methods, you should be able to significantly reduce the cost of AWS Config in your Control Tower.

profile picture
jayamaheizenberg
answered a year ago
  • rePost-User-1158362
    a year ago

    Hi @jayamaheizenberg, thanks for your response and sorry for my delay.

    Have you verified your response compatibility with AWS Control Tower? There are several rules in the default landing zone that enable (and prevent you to disable) AWS Config in enrolled accounts.

  • Yoimer David Roman Figueroa
    a year ago

    In AWS Control Tower everything relies on AWS Organization. You first need to go to AWS Organization and verify which SCP has the account you want to remove AWS Config from. Most of the time these SCP begins by the name of aws-guardrails-random-*****. Those have some JSON policies with Deny actions acting as explicit deny so that overrides every admin/non admin role and even the root user. Once you identify the SCP, detach it, stop AWS Config and attach back the SCP. Control Tower may prompt some messages regarding that SCP you just detached/attached. Follow along, and that should be it.

  • Cristian Magherusan-Stanciu
    a year ago

    This answer is incorrect and seems much like generated by ChatGPT. I have nothing against that as long as the answer is correct, but it sometimes hallucinates and you need to verify its correctness before publishing an answer for other people to use.

    @Yoimer David Roman Figueroa's suggestion worked for me and should be marked as a valid answer.

  • Satheesh Kakarla
    a year ago

    We have control Towel account, In that Control Tower one of accout has enabled aws config service from few weeks. We are tying to disable the service but it showing the error as "You do not have suffient permission to perform this action". As i have the admin level privileges, I'm able to enable and disable the aws config service in other control tower accout but this issue was facing in this perticular account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content