Config is one of my favorite services in AWS. When I think about Config, my mind usually goes more toward overall security & compliance of an AWS environment, but one underrated aspect of this tool is that this can also help control your AWS costs!
AWS Config Primer
AWS Config is a service that records your resources and allows you to create rules to check for compliance of the resources you have tracked. This is a regional service, but does allow the use of aggregators to consolidate findings from multiple regions and AWS accounts.
If you've ever used Security Hub this actually uses AWS Config behind the scenes to apply the best practices checks.
To set up config, simply go to the Config service in the AWS console and click on Get Started. The defaults are generally fine on the settings, but you may want to customize the bucket name, or create your own AWS Role for Config to use if you have very specific permissions needs. I do recommend, however, including Global resources in at least one AWS Config deployment. There are additional steps to use this service with multi-region and multi-account setups, but we're going to skip that for now. All in all, your setup should look something like this:
Cost Optimization Rules
There are a TON of managed AWS rules in AWS Config, and the list grows over time, but I want to focus on a few that can help manage costs. When you set up these rules, a common idea is that resources will either be "Compliant" or "Not-Compliant". This allows you to narrow in on resources that do not align to your rules, and provides a manageable list for you to check against, rather than having to evaluate all resources manually! Another thing: You can set a remediation action on the rules you create. There are many actions, but for these rules, I would recommend setting up SNS alerts so you will be proactively notified when a resource is out of compliance.
The main benefit of this approach is you will be notified much quicker than waiting for the AWS bill to come through. You can prevent charges for unused or misconfigured resources, which helps the bottom line!
Here are some of my favorite rules for aligning costs:
- ec2-volume-inuse-check - This rule checks to make sure that your EBS volumes are actually attached to an EC2 instance. If they aren't they will show up as non-compliant. This really helps when EC2 instances are terminated but the retention policy on the EBS volume is set to "retain".
- eip-attached - This is a straightforward rule, it simply checks if you have any elastic ip addresses that are not attached to an EC2 instance or VPC resource. This helps identify EIPs that you may no longer need, and while they don't cost much individually, this can add up quickly if you forget to delete EIPs when terminating EC2 instances they are attached to!
- service-vpc-endpoint-enabled - This is more subtle. If you have a lot of resources in a private subnet that is using a NAT Gateway, and connecting to resources in S3 or DynamoDB, you may be overpaying on your NAT Gateway processed bytes. This rule ensures that you have a VPC endpoint in place for the selected service, which has a lower data transfer cost than NAT Gateways.
- desired-instance-tenancy and desired-instance-type - Both of these are super useful if you work in an environment where multiple people are working in the same account on different projects with different skillsets. Sometimes people may launch an instance using an expensive instance, or mistakenly launch the instance into dedicated tenancy when it's not needed. This rule helps you identify those issues proactively.
- desired-tags - Last, but certainly not least, is the desired-tags rule. This rule allows you to define your required tags for specific types of resources in AWS. This allows you to run cost explorer reports against specific tags to identify where your costs are coming from, and is a good starting point toward prioritizing modernization & cost optimization efforts.
Using AWS Config is a solid way to not only keep your AWS Account secure and align to best practices, but also to assist in controlling your AWS costs as well! This doesn't replace options like AWS Budgets & Cost Alarms but it's a very nice augment to those features within AWS.