- Newest
- Most votes
- Most comments
Hi Matt -
I can confirm that this is an expected behavior for both Fargate and Config.
As you note, Fargate creates Task ENIs in the subnets, triggering Configuration Items for the ENI to Subnet association and Available IP addresses. [1] AWS Config pricing is currently $0.003 per config item recorded. [2]
Depending on the volume of tasks you are executing, this can drive a significant number of config items & corresponding AWS Config cost.
Your workaround of disabling AWS Config is appropriate, though as you note is not ideal as you lose change tracking for subnets. AWS Config allows for selecting resource types, however at this point in time it's not possible to get more granular than resource type.
To compensate for the reduced visibility, you could implement additional controls, for example by ensuring you have CloudTrail logs enabled & query capability against those logs, via Athena [3] or CloudTrail Lake [4].
Given that you have a significant volume of tasks running, it might be worthwhile to evaluate alternate architectures.
The first possibility would be to switch to EC2 tasks rather than Fargate tasks. EC2 based tasks have multiple task networking options [5], including bridge
and host
modes. You'll need to consider the security implications of switching these modes and if that's acceptable for your use cases.
Another thought would be to adjust the task architecture to pull tasks from a queue or other input and process multiple tasks inside a single execution. This would reduce the task ENI churn and corresponding Config records.
Alternatively, if your task executes fairly quickly (<15 minutes), you could consider executing the container in Lambda instead of Fargate. Lambda uses Hyperplane ENIs [6], which can share network interfaces across functions, reducing the churn and corresponding Config records.
- https://docs.aws.amazon.com/AmazonECS/latest/userguide/fargate-task-networking.html
- https://aws.amazon.com/config/pricing/
- https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
- https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html
Relevant content
- asked 9 months ago
- asked 7 months ago
- asked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago