TL;DR: AWS Config charges ~$0.003 per configuration item — one CI per recorded resource change — and the default records every supported type in every region. The silent killer is AWS::EC2::NetworkInterface: every Lambda-in-VPC, Fargate task, and ECS container churns ENIs by the thousands, at zero audit value. Excluding the high-churn types and switching autoscaled resources to daily recording typically cuts 40–70% of the bill with no loss of compliance coverage.
The numbers
- ~$0.003/CI recorded + $0.001 per rule evaluation (per change, per rule — conformance packs multiply this)
- Field example: an $800/month Config bill decomposed as 52% ENI churn, 18% EBS volume changes, 12% autoscaling instance CIs — compliance-relevant types were under 8%. Exclusions + daily recording → $290/month, and the SOC 2 auditor never asked about ENI history
- Second pattern: Config enabled in all 17 regions by a tutorial, ~$200/month metering regions with no real workloads
Do this
-
See what's churning: Config console → Resources, sorted by CI count over 30 days. The top five types are usually 80% of the bill (ENI, Volume, Subnet, Instance, LogStream).
-
Apply the exclusion list — keep AWS's auto-expanding "all supported" base, subtract the noise:
aws configservice put-configuration-recorder \ --configuration-recorder name=default,roleARN=<role>,recordingGroup='{ "allSupported": false, "exclusionByResourceTypes": {"resourceTypes": ["AWS::EC2::NetworkInterface","AWS::EC2::Subnet","AWS::EC2::Volume", "AWS::Logs::LogStream","AWS::SSM::ManagedInstanceInventory"]}, "useOnly": "EXCLUSION_BY_RESOURCE_TYPES" }' -
Switch churny-but-kept types to daily recording (EC2 Instances, ECS Tasks, EKS nodes): one CI/day instead of one per autoscaling event. Keep continuous on the forensically hot set — IAM, Security Groups, S3 bucket policies, KMS — where "the moment it happened" matters.
-
Prune rules and regions: disable rules targeting excluded types (they still evaluate and bill), deduplicate overlapping conformance packs, and turn the recorder off in regions with no meaningful footprint.
-
Aggregators: apply the same exclusions on the aggregator side, or multi-account setups pay every noisy CI twice.
Gotchas
- Never cut into the security core to save pennies: IAM, Security Groups, NACLs, S3 policies, KMS keys, CloudTrail trails, ACM, WAF. Their recording cost is small; their absence during an incident is enormous.
- Compliance lists are your minimum, not your ceiling — PCI/HIPAA/SOC 2 scopes name far fewer types than "all supported." Ask "does our scope require type X?" per exclusion, and daily recording usually satisfies vaguely-worded frequency requirements.
- Rules keep billing after you exclude their target type — prune them together.
- Don't confuse this with CloudTrail (event recording, separately billed) or application config services (AppConfig/SSM).
Skip this if
- Config isn't enabled and you have no compliance need — the cheapest Config is none, though IAM/SG change history is genuinely useful in incident response (enable selectively, one region).
- Your recorder already runs a tuned exclusion list — the remaining levers are daily-frequency, rules, and regions.
- The same audit energy is better spent first on GuardDuty plans or CloudWatch retention if those line items are bigger.