Submit feedback on
Unfiltered Recording of High-Churn Resource Types in AWS Config
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Unfiltered Recording of High-Churn Resource Types in AWS Config
Dor Danosh
CER:

CER-0135

Service Category
Other
Cloud Provider
AWS
Service Name
Inefficiency Type
Explanation

By default, AWS Config can be set to record changes across all supported resource types, including those that change frequently, such as security group rules, IAM role policies, route tables, or network interfaces frequent ephemeral resources in containerized or auto-scaling setupsThese high-churn resources can generate an outsized number of configuration items and inflate costs — especially in dynamic or large-scale environments.

This inefficiency arises when recording is enabled indiscriminately across all resources without evaluating whether the data is necessary. Without targeted scoping, teams may incur large charges for configuration data that provides minimal value, especially in non-production environments.This can also obscure meaningful compliance signals by introducing noise

Relevant Billing Model

AWS Config charges based on:

The number of configuration items recorded per resource

The number of conformance pack evaluations

The number of rule evaluations

Recording costs scale with the volume of configuration changes, which varies significantly by resource type and environment volatility. This means billing can spike unexpectedly in dynamic environments. High-churn resources can generate large volumes of configuration items even if they are not relevant to compliance goals.

Detection
  • Identify whether AWS Config is recording all resource types across accounts or regions
  • Analyze configuration item volumes by resource type to pinpoint high-frequency generators
  • Review whether these high-churn resources are required for audit, compliance, or operational needs
  • Check for AWS Config usage in non-production environments that may not require persistent tracking
  • Evaluate if alternate tools (e.g., CloudTrail, VPC Flow Logs, GuardDuty) already provide similar insight for the same resources
  • Compare Config data to findings from CloudTrail, VPC Flow Logs, or GuardDuty to detect redundant coverage
Remediation
  • Limit AWS Config recording to only essential resource types using resource recording groups
  • Exclude high-churn resource types that provide minimal compliance or operational value
  • Disable Config entirely in sandbox, test, or dev accounts if configuration history is not needed
  • Regularly review and update recording scopes as infrastructure evolvesAutomating these reviews with periodic reports or Config’s advanced queries
Relevant Documentation
Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences