Denys Rudyi - Fotolia

AWS Config Rules price change could cut cloud compliance costs

AWS Config Rules will switch to usage-based pricing, which could spur cloud compliance service adoption and be kinder to customers' budgets.

Planned changes to an AWS pricing model could help customers maintain cloud compliance and possibly even save a little money.

AWS Config helps admins oversee their organization's AWS resources for cloud compliance and security purposes. It maintains a record of resource configurations and sends alerts via AWS Simple Notification Service (SNS) when changes occur.

First introduced in 2014, AWS built upon Config in 2015 with AWS Config Rules. This service helps users apply granular rules, such as to ensure encryption for all Elastic Block Store volumes or scheduled rotation of security access keys.

Rules can trigger on a preset schedule or be triggered in response to configuration changes. AWS currently provides 84 managed rules, and customers can also write custom rules that use Lambda functions.

AWS originally priced Config Rules on a flat-rate basis, with the first 10 priced at $2 per region per month, followed by $1.50 per region per month for the next 40 and $1 per region per month for all additional ones.

As of Aug. 1, AWS Config Rules prices will change to a pay-per-use model, with customers charged by the number of rule evaluations they run each month, according to a blog post by AWS evangelist Jeff Barr. Under the new system, up to 100,000 rule evaluations per month will cost $0.0010 each. The price dips as low as $0.0005 each once the monthly total tops 500,000. Customers must still pay separately for related costs, such as for storage and SNS messages.

AWS's pricing page for Config Rules provides an example of how a customer would pay $74 per month for 100,000 rule evaluations in a single region under the upcoming plan, compared to $120 now.

Price change hailed, with caveats

Scott PiperScott Piper

Users should appreciate the AWS Config Rules price change, in part due to AWS' own guidance for customers to set up their environments, said Scott Piper, AWS security consultant at Summit Route, a firm based in Salt Lake City.

AWS accounts are free to set up. Customers only incur costs when they use a service. AWS has historically advised customers to create many accounts in order to reduce the blast radius of problem events, but this can lead to wasted money with respect to services like Config Rules, said Piper, who said he has a dozen AWS accounts for his personal use alone.

A lot of times, when I do assessments for companies, 10% of their AWS accounts are almost entirely empty. Because of that, people are not using AWS Config Rules there.
Scott PiperAWS security consultant, Summit Route

"A lot of times, when I do assessments for companies, 10% of their AWS accounts are almost entirely empty," he said. "Because of that, people are not using AWS Config Rules there."

Customers who apply Config Rules across all accounts and regions under the current system can find their costs balloon for limited reward, but they should find the new usage-based model more appealing, Piper added.

Indeed, the Config Rules price change drew praise from users on the popular AWS Reddit forum, one of whom commented about the cost-prohibitive nature of the original policy.

Piper has been critical of AWS Config, mostly because it currently only covers roughly 20% of AWS services, by his estimates. AWS CloudTrail, an auditing service that records and stores API calls, has better coverage of AWS services, but it's tricky to use it to track configuration histories, according to Piper.

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality