At first glance, AWS Config seems like a no-brainer for tracking changes, catching misconfigurations, and proving compliance. But beneath the surface, Config pricing can get surprisingly intricate.
Costs don’t just depend on the number of resources you monitor. They also hinge on how often those resources change, how many rules you evaluate, and how you manage historical data.
In this guide, we’ll demystify AWS Config pricing. You’ll learn what you’re paying for, what drives costs up, and how to reduce unnecessary spend. And all that, without compromising the governance and insight your cloud team relies on.
What Is AWS Config?
AWS Config is a fully managed service that tracks the configuration state of your AWS resources over time. Think of it as a snapshot tool for your AWS cloud environment. It records changes to items such as security group rules, IAM roles, EC2 instance settings, and much more.
This historical visibility helps your team monitor compliance, audit resource usage, and troubleshoot issues based on how things were configured at any point in time.
For engineering teams, AWS Config enables better control over infrastructure drift and change management.
For CTOs and CFOs, it supports governance and accountability, both essential for cloud security and financial compliance initiatives.
Some of the key use cases of AWS Config include:
- Compliance auditing: Check whether AWS resources are aligned with internal policies or external standards like HIPAA or SOC 2.
- Security analysis: Identify misconfigured resources or risky changes (such as, an open S3 bucket).
- Operational troubleshooting: Understand when and how a resource’s configuration changed, so you can pinpoint root causes and minimize time to recovery.
- Change tracking: Maintain a detailed, queryable history of resource configurations across your environment.
Yet, AWS Config is not “set and forget.”
Because it continuously tracks changes and evaluates rules, usage (and cost) can scale quickly, especially in dynamic or multi-account environments. And as your infrastructure grows, so can your Config costs — sometimes in ways that aren’t immediately obvious.
Here’s what we mean by that.
How AWS Config Pricing Works
AWS Config uses a pay-as-you-go pricing model. No upfront commitments or minimums are required. The free tier gets you 7,500 free configuration items in your first 30 days. However, there’s no free tier for rule evaluations or conformance packs. Those start charging immediately.
Still, costs can escalate fast depending on how extensively you monitor your cloud environment. Here are the four main components that drive your AWS Config bill:
1. Configuration Items (Config Items)
These are records of changes to your AWS resources. Every time a supported resource changes, say, a security group is updated or an EC2 tag is modified, AWS Config records a new config item.
AWS Config offers two recording modes:
- Continuous recording: Captures configuration changes in real-time as they occur. Each configuration item recorded in this mode costs $0.003.
- Periodic recording: Captures the configuration of resources at specified intervals (say, every 24 hours). Each configuration item recorded in this mode costs $0.012.
However, even if a resource doesn’t change, Config may still record data periodically (like every six hours for some services), which can increase volume and cost.
2. Rule evaluations
AWS Config supports managed rules (predefined by AWS) and custom rules (which you define using AWS Lambda).
Charges for rule evaluations are as follows:
- First 100,000 evaluations per region per month: $0.001 per evaluation
- Next 400,000 evaluations (up to 500,000): $0.0008 per evaluation
- Over 500,000 evaluations: $0.0005 per evaluation.
For custom rules that invoke AWS Lambda functions, additional Lambda charges will apply based on execution time and number of invocations.
See: A Simple Guide To AWS Lambda Pricing And Cost Management
3. Conformance packs
A conformance pack is a collection of Config rules packaged together to check compliance with specific frameworks. That includes PCI-DSS or CIS benchmarks. You deploy the packs as a single entity.
AWS charges per evaluation of each rule in the conformance pack, per account, per region. The pricing for conformance pack evaluations mirrors that of individual rule evaluations:
- First 100,000 evaluations per region per month: $0.001 per evaluation
- Next 400,000 evaluations (100,001 – 500,000): $0.0008 per evaluation
- Over 500,000 evaluations: $0.0005 per evaluation.
This means that running the same pack across five accounts and five regions could quickly multiply your costs.
4. Aggregators
Aggregators let you centralize AWS Config data across accounts and regions. The aggregator itself doesn’t incur a direct cost. However, the underlying evaluations and data collection do. This means that expanding coverage across accounts and regions can (and often) increase your bill.
Oh, one more thing. When you first enable AWS Config, it performs an initial recording of all supported resources. For continuous recording, this results in a one-time cost of $0.003 per resource.
AWS Config Cost Drivers: What Impacts Your Config Bill
Understanding the workings of AWS Config pricing is one thing. Knowing what actually drives your bill is how you take control. And we promised a full breakdown, so here are the key cost drivers that can silently inflate your AWS Config spend:
1. Number of tracked resources
The more AWS resources (like EC2 instances, S3 buckets, IAM roles, etc.) you enable for Config tracking, the more configuration items are generated. If you enable AWS Config across multiple regions or accounts without scoping it properly, you could end up tracking thousands of resources. Yes, even ones that don’t need continuous monitoring.
2. Frequency of changes
Every configuration change generates a new Config item. That means more charges. Highly dynamic environments, like CI/CD pipelines or autoscaling groups, can end up in a flood of config items. This is especially so if they update tags, policies, or network settings frequently.
3. Rule evaluation volume
Managed rules are cost-effective but can still add up with frequent evaluations across many resources.
If you’re using Amazon SNS for configuration change notifications, standard SNS charges also apply.
See: AWS SNS Pricing: How To Understand And Optimize Costs
Custom rules drive up costs even faster. Each evaluation may trigger a Lambda function, effectively doubling your billing surface (Config + Lambda).
Here’s a quick example. A custom rule checking S3 bucket encryption every 15 minutes across 300 buckets equals about 28,800 evaluations per day. That also means 28,800 Lambda executions to match.
4. Conformance pack scope
Conformance packs multiply rule evaluations by the number of accounts and regions you deploy them to. If you apply a 10-rule pack across 5 accounts in 3 regions, you’re looking at 150 evaluations per check cycle.
5. Retention of configuration history
AWS Config stores historical configuration snapshots in S3. While Config doesn’t charge directly for storage, you’ll still pay S3 storage and retrieval fees. And that can add up, especially if you retain data long-term or access it frequently for audits or incident reviews.
See: The No BS Guide To Understanding Amazon S3 Storage Costs
6. Multi-account, multi-region aggregation
Aggregators are great for centralized visibility. Yet, enabling Config in every account and region to feed the aggregator, can quickly scale your config item and evaluation volumes — and so can your bill.
AWS Config Pricing Examples
Suppose you have the following monthly usage in the US East (N. Virginia) region:
- 10,000 configuration items recorded:
- Continuous recording: 10,000 × $0.003 = $30
- 50,000 AWS Config rule evaluations:
- 50,000 × $0.001 = $50
- 15,000 conformance pack evaluations:
- 15,000 × $0.001 = $15
Total Monthly Cost: $30 (CIs) + $50 (Rule evaluations) + $15 (Conformance pack evaluations) = $95
This example does not include additional costs such as S3 storage, SNS notifications, or Lambda executions.
When To Use Config Vs. Top Config Alternatives
AWS Config is deeply integrated into the AWS ecosystem, making it a go-to choice for tracking resource configurations and enforcing compliance.
When to use AWS Config:
- You’re all-in on AWS. Config works best when your entire infrastructure lives inside AWS. Its deep integration with services like IAM, CloudTrail, and Lambda makes automation and enforcement seamless.
- You need continuous compliance monitoring. It’s ideal for environments that must adhere to frameworks like PCI-DSS, HIPAA, or CIS. This is especially so when paired with conformance packs.
- You want to track every config change. Config gives you a fine-grained change history for supported AWS resources. This is valuable for audits and incident reviews.
- You value automation. With Config rules and remediation actions, you can auto-fix or flag issues — all without writing custom code (for managed rules).
But depending on your use case, there may be more flexible, cost-efficient, or multi-cloud alternatives that better fit your needs.
Check out these AWS Config alternatives:
1. Cloud Custodian: An open-source rules engine for enforcing policies on cloud infrastructure. It offers:
- Multi-cloud support (AWS, Azure, GCP)
- Cost-effectiveness (no per-resource charges)
- Customizability
Cloud Custodian is ideal for FinOps or DevSecOps teams that want policy-as-code flexibility and automation without vendor lock-in.
2. HashiCorp Sentinel: A policy-as-code framework used with HashiCorp tools like Terraform and Vault. Its key features include:
- Deep policy integration with Terraform
- Ideal for infrastructure-as-code governance
- Ideal for teams already using HashiCorp tools and looking to shift compliance left into provisioning pipelines
3. Open Policy Agent (OPA): A general-purpose policy engine often used with Kubernetes, APIs, and CI/CD workflows. OPA:
- Is extremely flexible and powerful
- Works well in Kubernetes and service mesh environments
- Is suitable for engineering teams building custom platforms or needing fine-grained policy control across services
4. Prisma Cloud by Palo Alto Networks: A commercial cloud security posture management (CSPM) platform. Its key features are:
- Unified multi-cloud compliance and threat detection
- Rich visualizations and reporting
- Built large enterprises with complex, multi-cloud footprints and robust security teams
5. Wiz: A fast-growing CSPM and vulnerability management tool. Features include:
- Agentless scanning
- Near real-time visibility into risks and misconfigurations
- Designed for security-first teams that need fast deployment and wide resource coverage
Take The Next Step: How To Understand, Track, And Optimize Your AWS Config Costs With Precision
AWS Config is powerful — no doubt about that. But its cost model can catch teams off guard, especially at scale.
The good news? With the right strategies, you can retain Config’s visibility and compliance benefits without racking up unnecessary charges. Here’s how.
1. Scope Recording to only what matters
Don’t enable Config for every supported resource by default. Instead:
- Target high-risk or compliance-sensitive resources (such as, IAM roles, S3 buckets, security groups).
- Avoid tracking volatile or short-lived resources unless absolutely necessary.
- Disable unused regions or accounts from recording altogether.
This reduces the number of config items recorded — your biggest cost driver.
2. Choose the recording mode prudently
Use continuous recording ($0.003 per item) for frequently changing resources or when real-time visibility is critical. It’s more cost-effective in dynamic environments and offers faster feedback loops.
Run periodic recording ($0.012 per item) only when scheduled snapshots are needed. It’s more expensive per item and doesn’t reduce data volume if resources change often.
3. Consolidate and optimize rules
Choose managed rules over custom ones where possible. They’re easier to maintain and don’t incur Lambda costs.
Also, minimize redundancy. If multiple rules evaluate the same thing (such as S3 encryption), consolidate or bundle them into a single conformance pack.
Adjust evaluation frequency based on actual risk, say, hourly for critical assets, daily or weekly for less sensitive ones.
4. Limit conformance pack scope
Applying the same conformance pack across multiple accounts and regions multiplies evaluations and your Config bill. Instead:
- Use account-specific or region-specific packs where needed.
- Group related compliance needs into fewer, well-optimized packs.
- Periodically review and retire packs that are no longer in use.
5. Watch your Lambda usage
Reduce Lambda costs by optimizing function memory and runtime duration. Also, use lightweight, event-driven logic. And, replace frequent evaluations with smarter triggers where possible.
6. Store old data smarter
AWS Config uses Amazon S3 for historical config data. Over time, this can grow into terabytes. So, use S3 lifecycle policies to transition older config history to cheaper storage tiers such as S3 Glacier. You can also expire data you no longer need for compliance or audit purposes.
7. Take advantage of CloudZero to understand, track, and optimize AWS Config costs with precision
If you’ve ever stared at a surprise AWS bill wondering what happened, you’re not alone — and AWS Config doesn’t make it easy to find the answer.
Its native tools are invaluable for security and compliance auditing. But it does not show why your costs rise, who is responsible, or what you should do next.
That’s where CloudZero comes in.
CloudZero turns your AWS Config costs into clear, actionable intelligence. With it, you can:
- See exactly which teams, services, or environments drive your costs, right down to the hour.
- Catch overspending early, like a custom rule gone rogue or a config item spike, before it eats into your margins.
- Understand cost per rule, conformance pack, or Lambda invocation, and how it fits into your broader AWS spend.
CloudZero doesn’t just monitor your AWS Config costs. It pulls in data across all your AWS services, accounts, and regions (and even across clouds), giving you a single, unified view of your cloud spend.
That’s how teams at Coinbase and Expedia stay in control — not just of their AWS Config costs, but of their entire cloud strategy. Now it’s your turn. 
and start protecting your margins.
The Cloud Cost Playbook
The step-by-step guide to cost maturity
