aws_config_config_rule cost estimation
A compliance rule evaluated by AWS Config, billed per rule evaluation. 10,000 evaluations is ~$10; cost scales with resource changes and rule count.
An aws_config_config_rule evaluates whether resources comply with a desired configuration (e.g. "S3 buckets must be encrypted", "instances must be tagged"). Cost is per rule evaluation — ~$0.001 per evaluation, with volume tiers lowering the rate at scale. 10,000 evaluations is ~$10/month. (Conformance-pack rules are priced slightly differently per evaluation.)
A rule is evaluated whenever a relevant resource changes (and optionally on a periodic schedule), so cost scales with two things: how many rules you have and how often the resources they watch change. A rule watching high-churn resources, or a large rule set across a multi-account organization, generates many evaluations.
This is the per-rule companion to the configuration recorder's per-config-item cost — together they're the AWS Config bill. The levers: enable the rules your compliance program actually uses (not every managed rule), scope rules to relevant resource types, and avoid periodic-evaluation rules on a tight schedule where change-triggered evaluation suffices.
c3x prices the rule from monthly evaluations as usage, so projected Config-rule cost can be modelled.
Terraform example
A minimal but realistic configuration that C3X can estimate.
resource "aws_config_config_rule" "s3_encryption" {
name = "s3-bucket-encryption-enabled"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
}
}Pricing dimensions
What you actually pay for when you provision aws_config_config_rule.
| Dimension | Unit | What's being charged |
|---|---|---|
| Rule evaluations | per evaluation | ~$0.001 per rule evaluation (tiered down at scale). A rule is evaluated on relevant resource changes and optional schedules. $0.001/evaluation → 10,000 = $10/month |
Sample C3X output
10,000 rule evaluations in a month:
aws_config_config_rule.s3_encryption
└─ Rule evaluations 10,000 $10.00
Monthly $10.00Optimization tips
Common ways to reduce aws_config_config_rule cost without changing the workload.
Enable only the rules you act on
Proportional to rules removedEach rule generates evaluations on every relevant resource change. Enable the rules your compliance program actually uses rather than every available managed rule across every account — unused rules are pure evaluation cost.
Scope rules to relevant resource types
Per evaluation avoidedA rule scoped to specific resource types evaluates fewer changes than one watching everything. Narrow the scope to the resources the rule actually checks.
Prefer change-triggered over tight periodic schedules
Per redundant periodic evaluationPeriodic-evaluation rules on a tight schedule generate evaluations whether or not anything changed. Use change-triggered evaluation where it suffices, and widen periodic intervals.
FAQ
How is an AWS Config rule billed?
Per rule evaluation — ~$0.001 each, tiered down at scale — where a rule is evaluated on relevant resource changes and optional schedules. 10,000 evaluations is ~$10/month. It's the per-rule companion to the configuration recorder's per-config-item cost.
What drives Config-rule cost?
Rule count × how often watched resources change. High-churn resources and large rule sets across many accounts generate many evaluations. Enable only needed rules, scope them tightly, and prefer change-triggered over tight periodic schedules.
How does c3x estimate the cost?
It's usage-driven, so c3x models it from monthly rule evaluations in c3x-usage.yml. Pair with the configuration recorder for the full AWS Config bill.
Related resources
Estimate this resource in your own Terraform
Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_config_config_rule.