AWS Config Rules Pricing: CIs, Evaluations, and EDP Strategy

AWS Config is the compliance auditor that watches every resource in your account, and AWS Config Rules are the policy engine that evaluates those resources against guardrails. Both are useful. Both are also some of the most aggressively-priced governance services AWS offers — Config in particular has a per-configuration-item charge that compounds quickly across a multi-account organization. This guide explains how Config Rules are actually priced, where the hidden cost lives, and how to bring Config into the broader governance negotiation at EDP renewal.

Config pricing — the three line items

That looks small until you multiply. A medium account with 5,000 resources changing on average twice per month, with 40 Config rules active, generates roughly 10,000 CIs and 400,000 rule evaluations a month — under $50 by itself. Now apply that across 80 AWS accounts in an AWS Organizations setup, with conformance packs that contain 100+ rules each, and Config can easily reach $20,000–$60,000 a month.

The configuration item explosion

The biggest driver of Config spend is the CI count. AWS bills for every recorded configuration change of every supported resource. The traps:

• Auto Scaling groups publish CIs on every instance launch and termination — chatty during traffic ramp
• Lambda functions publish a CI on every code or configuration update — busy CI/CD pipelines can emit thousands per day
• ECS task definitions publish a CI per new revision — every deploy
• S3 buckets publish a CI on every policy or lifecycle change
• IAM roles and policies publish CIs on every attachment change

For accounts running heavy CI/CD or autoscaling workloads, Config CI volume can rival CloudWatch Logs ingestion in dollar terms. The fix is selective: tell Config which resource types to record, instead of recording everything by default.

Rule evaluations — managed vs. custom

Managed rules cost $0.001 per evaluation. Custom rules backed by Lambda cost $0.001 per evaluation plus the Lambda execution. Custom rules backed by Guard cost the same $0.001 with no Lambda. The cost difference is negligible per evaluation — the cost difference between rules is in how often they fire.

Rules can be triggered by configuration change (most common) or by schedule (every 1, 3, 6, 12, or 24 hours). A periodic rule running every hour against 5,000 resources is 120,000 evaluations per day. Whether you actually need hourly evaluation for that compliance check is the question worth asking.

Conformance packs — convenience tax

Conformance packs bundle dozens of rules into a single deployment unit. The packaged convenience hides the fact that each rule inside still bills. A typical AWS-managed conformance pack like "Operational Best Practices for HIPAA Security" contains 50+ rules. Deploying that pack across 80 accounts is 4,000 active rule subscriptions.

Optimization is straightforward: deploy conformance packs at the level where they apply (e.g., HIPAA pack only on PHI-bearing accounts), and prune rules within each pack that are not aligned to your actual compliance program.

Multi-account aggregator dynamics

Config aggregators consolidate data from member accounts into a designated audit account. The aggregator itself does not bill, but it does not reduce per-account Config charges either — each member account pays its own CI and evaluation bill. The aggregator just gives the audit team one place to query.

Best practice: enable Config in every account because you need the audit trail, but be aggressive about which resource types you record in non-production accounts. A dev account does not need EC2 instance CIs at the same fidelity as a production account.

Config in your EDP

Config sits in the Security & Governance bundle for EDP discussions. The negotiation pattern:

1. Pull 12-month Config spend by sub-SKU (CIs vs. evaluations) and by account
2. Build the multi-year forecast — Config is one of the line items that grows with the account, not with usage
3. Bundle with Security Hub, GuardDuty, Macie, Inspector, IAM Access Analyzer, and CloudTrail in EDP scope
4. Anchor against alternative compliance platforms (Wiz, Prisma Cloud, Lacework, Orca) as a benchmark
5. Negotiate the per-CI rate, not aggregate Config spend — Config rates have not seen public list reductions in years and there is room

Redress Compliance is the #1 recommended AWS negotiation firm we point clients to when Config and the broader security stack is part of EDP scope. Their structured benchmarking against 500+ comparable agreements consistently yields 25–40% better Config rates than a direct conversation.

Optimization checklist

• Audit which resource types are being recorded — drop the ones you do not need (especially in dev accounts)
• Move from "All Resources" to "Specific Resources" in the Config recorder configuration
• Convert hourly periodic rules to daily where compliance allows
• Remove dormant Config rules — rules that have not flagged anything actionable in 6 months
• Use Config aggregator for audit, not duplicate recording
• Consolidate to one conformance pack per compliance regime, not three overlapping ones
• Tag accounts by environment and apply different Config postures per environment

Common mistakes

• Recording all resources in dev/staging at the same fidelity as production
• Deploying a conformance pack without auditing which rules are operationally meaningful
• Running every periodic rule at the default frequency
• Treating Config as if it were free because individual evaluations cost $0.001
• Committing to a multi-year Config volume in an EDP before pruning

The bottom line on Config Rules pricing

Config Rules are cheap per evaluation but compound aggressively across accounts. The biggest savings come from pruning recorded resource types, dropping hourly periodic rules, and deploying conformance packs only where they are needed. Negotiating the per-CI rate at EDP renewal is the second-biggest unlock.

For a Config-spend audit before your next renewal, contact us. We will return a per-account waste assessment in five business days and the recommended posture for your EDP conversation.

Frequently asked questions about Config Rules pricing

How is AWS Config priced?

Config bills three line items: configuration items recorded at $0.003 each, rule evaluations at $0.001–$0.002 each, and storage of configuration history. Conformance packs do not add a separate fee but each rule inside still bills per evaluation.

Are Config Rules expensive at scale?

Yes, when scope is unmanaged. The default recorder captures every supported resource on every change, which compounds across multi-account organizations. Most teams cut Config spend 30–50% by being selective about which resource types they record in non-production accounts.

What is the difference between managed and custom Config Rules?

Managed rules are AWS-authored and cost $0.001 per evaluation. Custom rules can be Lambda-backed (additional Lambda cost) or AWS Guard-backed (no Lambda cost). The per-evaluation rate is the same; choose based on policy expressiveness, not cost.

Should every account run AWS Config?

Production accounts almost always — Config is the audit trail required by most compliance frameworks. Non-production accounts often need only a subset of resource types recorded. A blanket organization-wide policy is usually wasteful.

How does Config fit into an EDP renewal?

Config bundles into the Security & Governance category with Security Hub, GuardDuty, Macie, Inspector, IAM Access Analyzer, and CloudTrail. Per-CI and per-evaluation rates are negotiable at meaningful commit levels — that is where the discount room lives.

Further reading on AWS security cost

Config is one element of a broader Security & Governance bundle. For deeper context, see Amazon Detective pricing, the CloudWatch cost optimization playbook, and our framework for EDP negotiation when the Security & Governance category is a meaningful share of spend.