How to turn off AWS Config and reduce cost?


I observed that we are getting a big bill for AWS Config and to be honest, I have no idea what it is or why we have configured it? My question is:


asked 2 years ago4404 views
2 Answers
Accepted Answer

First you want to see if you are using AWS Control Tower (CT). CT uses AWS Config for its preventative guardrails and you don't want to turn it off in that case.

Secondly, you want to take a step back and think about if there are certain resources that you want AWS Config to monitor changes, such as IAM users, roles or S3 buckets. There are security implications if you just turn off everything if you have critical resources that depend on Config to detect issues.

Thirdly, I suggest you spend the time and go to your AWS Config and take a look at the rules and the recorder. You might want to start by deleting / removing rules that you don't need, then edit the Settings of config, specifically the "Resource types to record", to those that you need protection the most. Specifically you might not want to record resources that generate a lot of events for example containers that got created / deleted very often.

As a last resort, you can follow the steps in the post, but I do not recommend you doing so without carefully review your security needs and at least try to minimize the scope of the recording and the config rules you currently have. Delete everything is never good for your security posture nor help in the long run as your workload grow.

answered 2 years ago
  • Thank you so much for your answer. We were not using control tower and I found the Config rules and recording unnecessary for our needs. After careful review with cost explorer, it was clear that recordings were costing us. I have removed all rules and disabled recordings. Thanks!

    And just for completion: I was able to remove everything from AWS Config console and did not need to do it from command line.


If costs related to AWS Config are high... I would say either you have many Config rules that are evaluated very often, like every second or so.

In any case, you may consider to delete those config rules at some extend or update the frequency to do not evaluate so often. In order to delete you can use simple CLI tool:

Any consequence related to delete those rules depends on your cloud architecture. If there is any automation that depends on that, obviously you might break some workflow that will produce that it will never happen such trigger action, etc..

answered 2 years ago
  • Thanks for your answer. The pricing was high due to recordings. Not sure why the recordings were costly. In any case, I have deleted them as we didn't need them.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions