AWS Accounts and the hidden costs of compliance

The costs of an AWS Account with no provisioned infrastructure

Table Of Contents

Today I Explained

Even with no deployed applications, an AWS Account ~will~ may still incur costs.

The above statement is a bit of a special case. As organization grows they adopt many of AWS’s built-in services for meeting compliance expectations, such as CloudTrail, GuardDuty, Inspector & AWS Config. They’ll implement things like IAM Roles in accounts that permit tooling to scan infrastructure to identify potential malicious activity within the accounts.

Although this seem like lightweight costs, they can add up quickly if not careful. This is how you can get into cases where a single AWS Account that contains no compute resources, is costing $2000 (~$167 monthly) per year just to exist. Multiply this with an organization using multiple accounts as a means of strictly separating concerns in AWS, and you have a case in which a number of seemingly small decisions on compliance are adding up to a larger cost that is being bundled up within the balance sheets.

Rather than going into specific cases, like deploying lambda & KMS in every AWS region in all accounts by the Hub & Spoke pattern, this will instead cover a bit on the small charges that add-up with these kind of deployments in each account.

The two pains that add small charges are the fixed costs of resources, and “warm” infrastructure that can be existing within accounts with limit use-cases.

We’ll start first with the idea of fixed costs. AWS has some services that have a fixed cost associated with them, so regardless of usage, you’ll see that cost reflected on the budget. Route53 is a good example of this, as for each subdomain hosted zone provisioned within the AWS Accounts, even if that domain is unused, is incurring an cost for existing.

Other examples are things like AWS Key Management Service (KMS) or AWS Kubernetes (EKS).

Although fixed costs are notable, they usually don’t cost as much as “warm” infrastructure, which is infrastructure provisioned into AWS Accounts to support operations in the account. This is things like networking by VPCs & NAT Instances, or Flow Logs for extended logging.

Rather than being provisioned as-needed, this infrastructure is provisioned ahead of time to match planning capacity for teams like CorpOps, IT, DevOps or Platform Engineering teams. Although this infrastructure may eventually start being utilized, it isn’t always.

Typically this infrastructure is the exact kind of resources you want to routinely audit to ensure compliance needs are being met. Which means that these existing cause additional work to be done by systems scanning the infrastructure for meeting compliance needs.

The end result, is that you’ll have this infrastructure existing, and very likely without any systems to identify & flag the very very poor utilization of these resources. This annoyance will give way to frustration, as these costs will be rolled up into larger categories of infrastructure, compliance or the minimum fixed costs, ultimately not being detected (or determined not worth the time to address).