info
In this post I'm going to talk about the costs I faced using AWS Control Tower the latest 3 months. I recommend you read my previous post before continuing. Basic knowledge about AWS Control Tower is required.
Latest 3 months costs:
Before I proceed, I have to mention my usage of AFT:
- I only used it during January and February. I created 5 AWS Accounts.
- On March I didn't create or enroll any account.
And here we have the costs:
| Service | Config($) | VPC($) | Tax($) | EC2-Other($) | CodeBuild($) | KMS($) | Lambda($) | S3($) | DynamoDB($) | Backup($) | EC2-Instances($) | CloudWatch($) | Total cost ($) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| January | 16.58 | 17.34 | 10.62 | 8.41 | 6.62 | 1.56 | 0.09 | 0.01 | 0.01 | 0.01 | 0.01 | 0.01 | 61.2 |
| February | 13.9 | 12.5 | 10.98 | 9.04 | 8.5 | 1.87 | 6.44 | 0.01 | 0.01 | 0.01 | 0.01 | 0.01 | 63.22 |
| March | 9.03 | 0 | 4.72 | 7.44 | 0 | 6 | 0 | 0.01 | 0.01 | 0.01 | 0 | 0 | 27.19 |
info
Let's ignore the Tax from the plot and table.
Detailed cost: Services, API Operations and Usages Type
Let me write down the services used:
- AWS Config:
- API Operation:
None - Usage Type:
EU-ConfigurationItemRecorded
- API Operation:
- VPC:
- API Operation:
VpcEndpoint - Usage Type:
EU-VpcEndpoint-Hours
- API Operation:
- EC2-Other:
- API Operations:
NatGateway,AssociateAddressVPC, here are the costs: - Usage Type:
EU-NatGateway-Hours,EU-ElasticIP:IdleAddress,EU-NatGateway-Bytes
- API Operations:
| API Operation | NatGateway($) | AssociateAddressVPC($) | Total |
|---|---|---|---|
| January | 7.28 | 1.13 | 8.41 |
| February | 7.02 | 2.02 | 9.04 |
| March | 0 | 7.44 | 7.44 |
| Usage Type | EU-NatGateway-Hours($) | EU-ElasticIP:IdleAddress($) | EU-NatGateway-Bytes($) |
|---|---|---|---|
| January | 7.2 | 1.123 | 0.08 |
| February | 6.24 | 2.019 | 0.78 |
| March | 7.435 |
- CodeBuild:
- API Operation:
Build - No cost on March because no account was created neither enrolled
- API Operation:
- Key Management Service:
- API Operation:
Unknown - Usage Type:
eu-west-1-KMS-Keys,eu-west-2-KMS-Keys
- API Operation:
| Usage Type | eu-west-1-KMS-Keys($) | eu-west-2-KMS-Keys($) | Total |
|---|---|---|---|
| January | 1.06 | 0.5 | 1.56 |
| February | 1.24 | 0.63 | 1.87 |
| March | 4 | 2 | 6 |
- Lambda:
- API Operation:
Invoke - Usage Type:
EU-Lambda-GB-Second
- API Operation:
Analysis
- The only services that cost independently of usage are:
- AWS Config
- EC2-Other
- KMS
- AWS Config is the highest cost. I will talk about this in the next section: aws config section
- Using the improvement to disable the VPC endpoints and NAT explained in my previous post, in March the cost is 0 for the following operations:
EU-VpcEndpoint-Hours- serviceVPCEU-NatGateway-HoursandEU-NatGateway-Bytes- serviceEC2-Other
- However, there is still a cost in the
EC2-Otherservice, it is for the API OperationAssociateAddressVPC, usage type:EU-ElasticIP:IdleAddress. - The KMS cost has increase in March. I didn't expect this one because I didn't use AFT during that month.
- Other services (
S3,DynamoDB,Backup,EC2-Instances,CloudWatch) have no cost or less than 0.10.
Questions
- What AWS Config does ? Can I reduce it cost ?
- What does the operation
EU-ElasticIP:IdleAddressdo? How can I decrease this cost? - Why KMS cost increase in March if I didn't use AFT? How can I decrease it?
What AWS Config does? Can I reduce it cost?
AWS Config is a AWS service that allow us to record and evaluate resources configurations. You can check the full description here. This service is been used by the AWS Control Tower as described next:
AWS Control Tower has a feature named Guardrails, those are rules validated against resources created in enrolled accounts. This provides governance to AWS environments. Those Guardrails can be preventive (ensuring your account maintain compliance) or Detective (detect noncompliance resources) based on the behavior. The detective guardrails are implemented using AWS Config rules. This means Control Tower call AWS Config to validate the configuration of the resources when a detective guardrails is active.
okey, too much theory, the most important, next are the two detective guardrails activated by default in a landing zone:
danger
The next approach works for me because I'm using AFT sporadically and for personal projects. I don't recommend it for companies because resource history might be required for compliance.
Action done:
- Go to AWS Organizations. Create a OU, I name it
outside-act. - Move the AFT account to the new OU.
- Check it is not enrolled.
- Open the AWS Console, login using the AFT Account, go to AWS Config, open Settings, click on
Edit. and select stop recording, save it.
After disabling Recorder on April 19 the cost was reduced from 0.30 $ per day to 0.03 $
| Service | 2022-04-16 | 2022-04-17 | 2022-04-18 | 2022-04-19 | 2022-04-20 | 2022-04-21 | 2022-04-22 |
|---|---|---|---|---|---|---|---|
| Config($) | 0.296 | 0.296 | 0.236 | 0.008 | 0.008 | 0.008 | 0.008 |
What does the operation EU-ElasticIP:IdleAddress do? How can I decrease this cost?
I discovered there were two Elastic IP addresses not linked to any EC2 instances, this is why it is been charged in Idle state. I release them manually, through the AWS Console, so no more cost is generated. More details about why it was been charge here.
As we want to avoid manual intervention, I made the elastic IP creation depend on the aft_vpc_nat_gateway parameter I introduce for reducing NAT costs in my previous post.
KMS Costs
info
I will answer this one in my next post. Too much for this one.
Side Notes:
Wait Carlos, were you using the Free Tier?
Yes, I was, and that might reduce the final costs I had, but I don't expect them to be significantly different nor to change any conclusion of this article.
Next is my remaining Free Tier quota on April 18, as you see some services already exceeded the free layer though I haven't used the AFT resources since later February.
Audit and Log AWS Accounts costs
For using AWS Control Tower there are 3 accounts required:
- Audit Account.
- Log Archive Account.
- AFT Account where all the resources to process account creation request are.
Next are the costs per account
| Linked Account Name | cangulo_aft ($) | Log Archive ($) | Audit ($) |
|---|---|---|---|
| January | 61.2 | 1.8 | 0.2 |
| February | 63.3 | 1.5 | 0.02 |
| March | 27.2 | 2.8 | 0.01 |
info
In this post I'm only referring to the AFT account costs.
References:
Git Repositories
learn-terraform-aft-account-provisioning-customizations
learn-terraform-aft-account-customizations
learn-terraform-aft-global-customizations
learn-terraform-aft-account-request
About me
I'm a Software Engineer with experience as Developer and DevOps. The technologies I have worked with are DotNet, Terraform and AWS. For the last one, I have the Developer Associate certification. I define myself as a challenge-seeker person and team player. I simply give it all to deliver high-quality solutions. On the other hand, I like to analyze and improve processes, promote productivity and document implementations (yes, I'm a developer that likes to document ๐งโ๐ป).
You can check my experience here.
Personal Blog - cangulo.github.io
GitHub - Carlos Angulo Mascarell - cangulo
LinkedIn - Carlos Angulo Mascarell
Twitter - @AnguloMascarell