4
4
What is AWS Config?
AWS Config is a powerful service designed to inspect, audit, and evaluate the configuration of AWS resources and plays a key role in helping companies ensure compliance and risk management. However, as with any cloud service, there is a balance between using the full potential of AWS Config and managing the associated costs.
AWS Config tracks and compares current and historical configurations of AWS resources, enabling monitoring, compliance auditing, and troubleshooting.
Key Features of AWS Config:
- Resource Inventory: Provides an inventory of AWS resources and captures their configurations over time.
- Configuration Change History: Tracks changes made to resources and records the history for audit and analysis purposes.
- Compliance Auditing: Enables auditing against internal policies and regulatory requirements by setting up Config Rules.
- AWS Config Rules: These are pre-configured or custom rules that automatically assess the compliance of resources based on defined conditions.
AWS Config Pricing
AWS Config is priced based on the number of configuration items recorded, the number of rules evaluated, and the number of API calls made. Learn more about the factors here.
It can deliver configuration items at two frequencies: periodic and continuous. Periodic recording captures configuration data every 24 hours, but only if a change has occurred, making it useful for tasks like operational planning or auditing. Continuous recording captures configuration items whenever a change happens, which is beneficial for meeting security and compliance requirements by tracking all configuration changes in real-time.
Config Rule Evaluations:
Conformance Pack Evaluations (when a resource is evaluated by a Config rule within a Conformance Pack):
Note - There may be additional costs for S3 storage of snapshots and history files, SNS charges for change notifications, and Lambda charges if you create custom rules.
Cloud Cost Optimization Techniques for AWS Config
Identification of Cost leaks
CloudKeeper Lens
The majority of AWS Config costs arise due to a lack of visibility. Cloud costs can quickly jump from $5 to $50 if left unnoticed. CloudKeeper Lens, a cloud cost visibility solution provides dashboards with accurate graphs, allowing you to easily visualize these costs. It also offers the ability to set up alerts if costs exceed a defined threshold for a specific service.
CloudWatch and Athena
AWS native services can also be used to improve the visibility of the cost of this service. Amazon Cloudwatch is one of them. Amazon Athena can also be used to query the data and get accurate information of the cost. It enhances visibility into your Config costs and resource changes, helping in troubleshooting the cost anomalies. By using Athena, you can query Config data and generate custom reports, offering insights into which resources are creating Config items and driving expenses. Here is the link that can help you to set up Athena.
To retrieve the number of changes for specific resources and configuration items, we can use the COUNT function and group the results by resourceId and configurationItemMD5Hash (or any other unique identifier for the configuration version). This will give you a count of how many configuration changes occurred for each resource.
Here’s how you can design the query to get the number of changes for specific resources:
Example Result:
Fixing the leaks
1. Selectively Record Resources
By default, AWS Config tracks many different types of resources. However, not all resources are equally important to your compliance and governance strategy. Limit the resources you track to those that are critical for your auditing and compliance needs. For instance, you might not need to track every Lambda function or instance in your development environment. This selective recording can significantly reduce the number of configuration items, and thus, the cost.
2. Optimize Config Rule Evaluations
As mentioned earlier, AWS Config charges for rule evaluations. Reducing the number of evaluations by tuning rule evaluation frequency and using rule grouping can lead to direct cost savings. Additionally, turning off unused or unnecessary rules is essential to ensure you aren’t paying for evaluations that don’t add value to your compliance goals.
3. Automate Cost Optimization Through Policies
Use AWS Config and AWS Lambda together to automate the shutdown or cleanup of non-compliant or unnecessary resources. For instance, if an instance in a test environment is not tagged correctly, a Lambda function could automatically stop it, thereby reducing unnecessary costs. Automation not only helps with compliance but can also help you avoid the ongoing costs of unused or misconfigured resources.
4. Review Configuration Snapshots Regularly
AWS Config creates snapshots of your resource configurations, which can take up considerable space over time. Regularly reviewing and cleaning up old or unnecessary snapshots can save storage costs. Additionally, consider exporting configuration data to Amazon S3 and archiving it there to reduce the load on AWS Config directly.
Conclusion
AWS Config offers valuable insights into AWS environment compliance and security, but costs can rise quickly. Optimize usage through selective enabling, custom rules, and regular cost reviews. Balance compliance needs with cost efficiency to make AWS Config a powerful yet cost-effective governance tool.
