I've noticed that AWS Config is racking up a hefty bill for me, particularly since I constantly create and destroy resources in my pre-prod environment. Recently, I transitioned to managing my dev account through AWS Control Tower, but it seems to impose restrictions on managed accounts, including not allowing me to stop recording or adjust the logging frequency. I'm considering whether it might be better to detach my pre-prod environment from Control Tower. Is this a wise decision? And is there any way to disable AWS Config recording altogether?
6 Answers
We ran into a similar situation. Support suggested temporarily disabling the SCP that restricts Config modifications. This allows you to change the frequency of logs, but be warned—every time Control Tower updates, those changes might get overwritten!
Instead of modifying SCPs, consider assuming **AWSControlTowerExecution** for any changes. This way you can bypass some issues with CloudFormation drift without touching those stacks.
Honestly, I find Control Tower quite limiting. However, you can assume the OrganizationAccountAccessRole to tweak your configuration per account and make it less painful. AWS support's suggestions can sometimes feel like adding more layers to a tangled web—it's better to switch to daily tracking instead of continuous for resources that fluctuate frequently.
Great point! Daily recording could save a lot, especially for environments that have changes you don't need to track endlessly.
Remember, you can exclude certain resources from being tracked by AWS Config. I did it for resources that don't need close monitoring, and it really helped lower costs.
Is it possible to update the settings for AWS Config to do daily recordings instead of continuous? That might be a simple fix!
You can find some helpful tips on customization here: [AWS Blog - Customize AWS Config](https://aws.amazon.com/blogs/mt/customize-aws-config-resource-tracking-in-aws-control-tower-environment/). I faced the same cost issues, and it definitely helped me reduce expenses.
If you're looking to eliminate AWS Config, your best bet is to pull the account out of Control Tower. The majority of Control Tower's features, including SCPs, are tied to AWS Config. It's kind of a catch-22, though—AWS Config has its strengths, but its pricing can be a real hurdle for dynamic environments.
That's interesting, but I'm surprised they proposed that method. It seems a bit risky, right?