When a Healthy Compliance Dashboard Hides a $20K AWS Config Bill
A security control that looks healthy can still be economically broken. AWS Config is not the problem. Unscoped control design is.

One of the most expensive security failures is the one that looks compliant.
A team opened its AWS bill and found nearly $20,000 in AWS Config charges. The uncomfortable part was not the number. It was that nothing looked broken.
Pipelines were green. Compliance dashboards were healthy. The control existed everywhere it was supposed to exist.
That was the problem.
Nobody had questioned how AWS Config was set up. Only that it was present.
This is a SecFinOps problem in its cleanest form. Finance sees a large bill. Security sees healthy coverage. Engineering sees no incident. Three teams are looking at the same service and none of them are asking the same question.
The question is not whether AWS Config is enabled.
The question is whether the control was designed in a way that is proportionate to the risk it is meant to reduce.
A Healthy Control Can Still Be Economically Broken
AWS Config charges for the scope of visibility you ask it to maintain. Configuration items recorded. Rules evaluated. Conformance pack evaluations. Aggregation across accounts and regions. It does exactly what you tell it to do.
That matters because many teams enable Config with the same logic they use for logging: broader must be safer.
Record every supported resource type. Turn on every rule pack. Roll it across every account. Aggregate everything centrally. Then never revisit the decision once the dashboard turns green.
The bill that arrives later is not a pricing surprise. It is a design signal. It tells you the control was scoped without a cost model.
This is where SecFinOps becomes useful. The cost anomaly is not separate from the security control. It is evidence about the control.
The Mistake Most Teams Make
Security reviews tend to ask three questions:
- Is the control enabled?
- Is it collecting the right data?
- Is the compliance score acceptable?
All three matter. None of them answers whether the control is economically sensible.
That gap is how a service designed to improve governance quietly becomes a governance failure of its own.
If a security control is generating disproportionate spend, one of four things is usually true:
- The scope is too broad for the actual risk.
- The resource types with the highest change volume were never filtered intelligently.
- The rule set was copied from a benchmark, not designed for the environment.
- The control was rolled out globally before anyone modeled the monthly volume.
None of these is a FinOps-only issue. They are control-design issues.
Why AWS Config Gets Expensive Faster Than Teams Expect
The teams that get surprised by Config bills are usually not negligent. They are usually trying to do the right thing quickly.
An organization adopts a multi-account structure. Security wants consistent visibility. A benchmark recommends organization-wide conformance packs. Platform engineering enables broad recording because narrowing the scope feels risky.
The decision gets made once and then hardens.
But cloud environments are not static. Auto scaling groups churn. EKS creates and replaces resources constantly. Network interfaces, volumes, and ephemeral infrastructure change more often than the original control design assumed. The control remains healthy. The economics quietly drift.
This is the same pattern you see in runaway logging, oversized retention, and duplicated telemetry pipelines. The presence of the control becomes the success metric. The cost of the control stops being anyone’s job.
What Good Looks Like
Good does not mean turning Config off.
Good means treating security controls the same way you treat compute and network architecture. They need scope. They need explicit tradeoffs. They need periodic review.
For AWS Config, that usually means:
- Start with in-scope resource types, not every supported type by default.
- Separate baseline governance controls from high-frequency detective controls.
- Test conformance packs in one account before organization-wide rollout.
- Measure monthly configuration-item volume before and after each expansion.
- Review the noisiest accounts and resource classes every quarter.
The change here is not technical sophistication. It is ownership.
Someone has to be responsible for answering a simple question: what risk reduction are we buying with this control, and is the bill consistent with that answer?
This Is Not a FinOps Cleanup Task
If Finance finds the bill first and opens a cost-reduction ticket, the organization is already framing the problem incorrectly.
The right sequence is:
- Security explains why the control exists.
- Engineering explains how it is scoped and where it is noisy.
- FinOps explains what the current design costs and how that cost is trending.
- One owner decides whether the current control design is justified.
That is not a billing workflow. That is governance.
Fact-check: Is AWS Config the Problem?
No. AWS Config is doing its job.
The problem is the assumption that a security control only needs a coverage model and not an economic model.
That is where SecFinOps starts. Not at the invoice.
A control you do not understand financially is not fully governed. It is just spend with a dashboard attached.
At the moment a security control is designed, scoped, and turned on.
Try CostObserver. Read-only access, no credit card, connects in minutes. Or explore the demo without signing up.
