AWS Config Costs Crushed: FinOps in Action

Slashed AWS Config costs 78% in 1700+ accounts using FinOps! Saved $1.2M/year, boosted security visibility, and drove cost-conscious cloud culture.

Comment 3

Taming the AWS Config Beast: A FinOps Journey

Our organization, like many enterprises, faced a cloud cost mystery. With over 1,700 AWS accounts in a Hub & Spoke model, AWS Config costs spiraled out of control, becoming a financial sinkhole. This is the story of how we not only saved a fortune but fundamentally changed our approach to cloud financial management.

Inspiration and the Problem

The problem was uncovered during a routine cost review. AWS Config, meant for compliance, was recording every supported resource type (389 services!) in every account. This meant millions of configuration items monthly, costing us hundreds of thousands of dollars annually. We had a classic dilemma: balancing compliance needs with cost efficiency, at scale.

What We Learned

We realized that AWS Control Tower's default settings, while excellent for governance, weren't cost-optimized. We learned the importance of targeted precision in Config recording and the need for a broader FinOps approach. We embraced core FinOps principles:

  • Accountability: Understanding cost drivers.
  • Optimization: Recording only necessary resources.
  • Automation: Scaling the solution.
  • Measurement: Tracking the impact.

How We Built It

Our solution centered on a Lambda function in the management account, using Python and boto3. It allowed us to:

  • Target specific accounts or OUs.
  • Define which AWS services to record via configuration.
  • Automate deployment using DevOps pipelines (CI/CD).
  • Validate compliance.

The DevOps pipeline orchestrated the deployment and execution. A structured configuration file balanced compliance needs with cost efficiency.

Challenges Faced

The main challenges were:

  • Scale: Implementing changes across 1,700+ accounts.
  • Compliance: Ensuring optimizations didn't impact security.
  • Continuous Monitoring: Setting up regular checks for ongoing effectiveness.

We addressed these by:

  • Automating deployments with CI/CD pipelines.
  • Testing incrementally in non-production environments first.
  • Establishing feedback loops with security and governance teams.

The Results

The impact was immediate:

  • 78% reduction in AWS Config costs!
  • Over $1.2 million projected first-year savings.
  • More meaningful Config findings for security teams.
  • Faster Config queries.
  • Better forecasting.
  • Teams became more cost-conscious.

Beyond Config

This was just the beginning. We're now exploring machine learning for anomaly detection, real-time cost guardrails, FinOps as Code, and chargeback automation. This project sparked a broader conversation about cloud financial management and encouraged teams to think more critically about resource usage, transforming our cloud operations by embedding FinOps thinking.

Reflecting on this journey, I realize that the real value wasn't just in dollars saved but in the organizational capability we built. It showed us that cost optimization isn't just about cutting expenses; it's about aligning technology consumption with business value.

Built With

  • aws-config
  • aws-control-tower
  • aws-lambda
  • aws-organizations
  • aws-sts
  • boto3
  • devops-pipelines-(ci/cd)
  • python
Share this project:

Updates