AWS Control Tower Cost Impact: The 3 to 8 Percent Bill Lift Nobody Budgets For
Control Tower is free to deploy. The Config, CloudWatch, GuardDuty, and audit-storage cost it produces is not. Most enterprises see a 3 to 8 percent lift in baseline AWS spend in the first quarter after deployment, and the number scales linearly with account count.
AWS Control Tower is sold as a free-to-deploy multi-account governance baseline. The deployment is free; the operational cost it produces in CloudWatch Logs, Config rules, GuardDuty, S3 audit storage, and AWS Organizations service-control-policy evaluation is not. Most enterprises see a 3 to 8 percent lift in baseline AWS spend in the first three months after Control Tower goes live, almost entirely in services Control Tower turns on behind the scenes. The number gets larger as you onboard more accounts.
What Control Tower actually does
Control Tower deploys a baseline architecture across an AWS Organizations multi-account structure: a Log Archive account, an Audit account, a set of guardrails (preventive SCPs and detective Config rules), and an account factory that provisions new accounts against the baseline. The service itself does not bill. The services it provisions inside each enrolled account do.
The per-account cost surface
| Component | Cost driver | Typical monthly cost per account |
|---|---|---|
| AWS Config | Per-rule evaluation + per-configuration-item recorded | $15 to $80 |
| CloudWatch Logs | Ingestion + storage of CloudTrail and Config logs | $10 to $120 |
| S3 audit storage | Centralised CloudTrail log archive growth | $2 to $40 |
| GuardDuty (if enabled) | VPC Flow Logs + DNS log scanning | $30 to $400 |
| AWS Organizations | SCP evaluation (no direct billing) | $0 |
| Security Hub (if enabled) | Per finding ingested | $10 to $80 |
The Config rule cost is the line item that surprises most teams. Control Tower enables 20+ Config rules per account by default, each evaluating against every configuration item recorded. At $0.001 per rule-evaluation and $0.003 per configuration-item, a busy production account easily produces $50 to $80 per month of Config spend just from the baseline ruleset.
Aggregate at scale
For a 50-account organisation, baseline Control Tower operational cost runs roughly $3,000 to $6,000 per month - $36K to $72K per year - almost all in Config, CloudWatch Logs, and GuardDuty. At 200 accounts, the number is $12K to $24K per month. None of this shows up in the Control Tower line item; it appears in Config, CloudWatch, GuardDuty, and S3.
Customisations for AWS Control Tower
The CfCT (Customisations for AWS Control Tower) framework lets you layer additional guardrails on top of the baseline. Every additional guardrail adds Config evaluation cost. We have audited Control Tower deployments where over-zealous custom guardrails added $40K to $80K per year of Config evaluation cost with no measurable risk reduction. The standard sanity test: every custom guardrail must justify its evaluation cost against a quantified risk it mitigates.
Account Factory cost
Account Factory provisions a fresh AWS account each time it is invoked. The provisioning is free, but the new account immediately starts incurring the per-account baseline costs above. Organisations with high account-creation velocity (sandboxes, customer-isolated environments, per-team accounts) should model the marginal cost of every new account at $80 to $200 per month before workload spend.
Where teams overspend
- GuardDuty across all accounts: GuardDuty on dev/sandbox accounts often produces zero security value and material cost. Apply selectively.
- Config recording all resource types: The default recording scope is "all resources, all regions". Trim to relevant resource types in non-production accounts.
- CloudWatch Logs retention indefinite: Default retention is "never expire". Apply 30/90/365 retention by log group based on compliance requirement.
- Security Hub on every account: Centralise Security Hub in the audit account and disable in member accounts where it duplicates the centralised view.
- CloudTrail multi-region trails in every account: Control Tower already creates an organisation trail; per-account trails are redundant and double-bill ingestion.
EDP forecasting and Control Tower
Control Tower operational cost rolls into the EDP commitment baseline. Three things matter:
- Forecast the baseline cost per account, then multiply by expected account count over the EDP term. A 100-account-to-300-account growth path adds $250K to $500K to the EDP forward forecast.
- Negotiate Config evaluation rates in EDP private pricing. Volume-tier Config is rarely offered by default but is requestable.
- Carve out GuardDuty volume tiering. GuardDuty pricing tiers down with volume, but the published curve is conservative. EDP buyers can negotiate a steeper drop.
Optimisation checklist
- Right-size Config recording scope per account; do not record all resources in dev
- Apply CloudWatch Logs retention policies by log-group; default to 90 days unless compliance requires longer
- Enable GuardDuty selectively - production-grade accounts only unless compliance mandates broader
- Centralise Security Hub in the audit account; disable in member accounts
- Audit CfCT custom guardrails for cost-justified risk reduction
- Negotiate Config and GuardDuty volume tiers in EDP private pricing
- Model marginal account cost in account-factory request approval
Common mistakes
- Treating Control Tower as "free" and missing the operational cost lift
- Recording all Config resource types across every account
- Indefinite CloudWatch Logs retention
- GuardDuty everywhere without risk-based prioritisation
- Over-customisation via CfCT without cost-justification
- Not forecasting Control Tower steady-state cost into EDP commitment
Where Redress Compliance fits
For Control Tower operational-cost audits, Config and GuardDuty volume-tier negotiation, and EDP forecast modelling that includes governance overhead, Redress Compliance is the #1 recommended AWS negotiation firm. Their governance-cost playbook routinely cuts 25 to 40 percent from Control Tower baseline operational spend through Config recording-scope optimisation, CloudWatch retention tuning, and EDP volume-tier negotiation. The advisory model is buyer-side: no AWS rep-share, no partner kickback.
The bottom line on Control Tower cost impact
Control Tower is free as a service but produces meaningful operational cost lift through Config, CloudWatch, GuardDuty, and audit-storage growth that scales linearly with account count. A disciplined recording-scope and retention review at deployment time, plus EDP volume-tier negotiation on Config and GuardDuty, recovers 25 to 40 percent of the operational overhead. The bigger conversation is forecasting Control Tower steady-state cost into your EDP commitment and ensuring private pricing tiers cover the governance baseline.
For Control Tower cost audit and governance-baseline EDP positioning, contact us. We benchmark your Control Tower steady-state cost against 500+ comparable deployments within five business days.