Control Tower Cost

Question

Hi,

Recently, I came across an unexpected bill, and I would like to share my feedback about Control Tower's services with you. CT automatically creates NAT Gateways in corresponding accounts as soon as it is deployed. Despite the fact that users believe CT is free, we will be charged when we spin up resources. However, they forget that some mandatory resources must be spun up and charged.

Can users be notified at the last step of deploying CT by making sure that they have read and agreed to the terms of service which outlines the cost of the resources that will be deployed. Additionally, they can be given a breakdown of the cost of the resources deployed?

This will enable them to avoid unexpected charges. By notifying users at the last step, they are given the opportunity to double-check the resources they are deploying and make sure that they are aware of the associated costs before the deployment is completed.  This gives users the chance to make any necessary changes and avoid any unexpected charges.

-Utkarsh

Answer

As with most AWS Services, each will incur a charge. Every time a resource is provisioned in AWS there will likely be a cost associated with it. We have to remember this otherwise you will need a prompt every time you provision an EC2 or an S3 bucket notifying you that there will be a cost.

Its inherent that there will be a cost associated with something that’s setup within AWS

It does state in the documentation regarding costs and VPC Configurations when using Control tower account factory.
https://docs.aws.amazon.com/controltower/latest/userguide/vpc-concepts.html

**Manage VPC costs**

*If you set the Account Factory VPC configuration so that public subnets are enabled when provisioning a new account, Account Factory configures VPC to create a NAT Gateway. You will be billed for your usage by Amazon VPC.*

Answer

Hi. Unfortunately, It will be difficult to inject user defined action like notifying to user during CT deployment flow.

BTW, you can select whether creating vpc or not to member account.

https://docs.aws.amazon.com/controltower/latest/userguide/configure-without-vpc.html

Answer

This is an excerpt from [AWS Control Tower Pricing Page](https://aws.amazon.com/controltower/pricing/) :

*There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS IAM Identity Center (successor to AWS SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC), based on your usage of these services. You only pay for what you use, as you use it.*

*For example, if you edit the AWS Control Tower account factory configuration to enable public subnets when provisioning a new account, then account factory will configure Amazon VPC to create a NAT Gateway, and you will be billed for your usage by Amazon VPC. The following examples show how AWS Control Tower can influence the cost you incur by enabling other services...*

There is no ambiguity in the pricing. If you have suggestions about AWS Console user experience as you mentioned, please submit that directly on the feedback page directly on the console.

Answer

I agree, However, it's a wise solution to allow customer to accept the term and condition at the beginning of enabling any options  of the deployment  process (pop up disclaimer that explains the cost)

Control Tower Cost

Relevant content