AWS Cloud Operations Blog
Leveraging custom AWS Config rules to optimize cost saving on AWS
AWS Config assesses, audits, and evaluates the configurations and relationships of your resources in your AWS account. Why might we want to use this service for cost optimization? Well consider a scenario where we can be alerted if a specific Amazon Relational Database Service (Amazon RDS) instance is deployed in the account. If a larger instance type than required is used, it has potential to incur unexpected costs for the given account.
This blog post demonstrates how to implement a custom rule in AWS Config, to optimize cost by monitoring database instances. In scenarios where multiple accounts are used, customers may want to regulate the use of expensive database instances, and be notified of any violations. For example, a test account does not necessarily need to utilize a production size instance for building applications. A custom AWS Config rule monitors the account checking the type of database instance running. Then when a non-compliant database instance type is detected AWS Config will flag it.
Overview of solution
The following diagram illustrates the solution architecture:
Figure 1: Solution Overview
The AWS Config custom rule invokes the AWS Lambda function that detects if an Amazon RDS database instance provision violates pre-defined cost controls. The invocation of this function occurs every time there is a new Amazon RDS database instance detected in the account. The AWS Lambda function checks the instance type to ensure that it complies with an approved instance type. Nothing happens if the resource is evaluated as compliant. If the resource is evaluated as non-complaint, then the lambda function will send an alert through an AWS Simple Notification Service (Amazon SNS) topic to the administration team which will allow the account administrators to take the corrective action.
Walkthrough
In this walkthrough, we will guide you through the following steps to demo the overall procedure presented in the solution diagram above.
Disclaimer: All code provided here should be evaluated in non-production environments.
- Create necessary resources via AWS CloudFormation template
- Confirm AWS SNS Topic subscription
- Create an AWS RDS instance to verify AWS Config custom rule is working
The prerequisites for this walkthrough are as following:
- An AWS account in which you have administrator permission.
- The AWS Config service is setup in the Region you will use for this walkthrough. If not, follow the documentation for 1-click setup of AWS Config.
Figure 2: Setup AWS Config
Step 1: Create resources using AWS CloudFormation Template
Download and launch this AWS CloudFormation template to deploy the AWS Lambda function, AWS Config custom rule, Amazon SNS topic and other related resources.
Note: Resources deployed will incur costs. Remember to clean up resources following instructions in the “Cleaning Up” section below.
To create a resource by using AWS CloudFormation template, complete the following steps:
- Sign in to the AWS Management Console
- Navigate to the AWS CloudFormation Console > Create Stack > “With new resources”
- Upload the YAML template file and choose Next
- Specify a “Stack Name” and put an email address for “NotificationEmail” parameter, then choose Next
- Leave the “Configure stack options” at default values and choose Next
- Review the details on the final screen and under “Capabilities” check the box for “I acknowledge that AWS CloudFormation might create IAM resources with custom names”
- Choose Submit
Figure 3: Stack Creation Acknowledgement
Note: After the stack creation is submitted, you can view its progress under AWS CloudFormation > Stacks > Stack_Name > Events tab.
Once the Stack is successfully created, you will see a couple of resources deployed into your AWS account: AWS Config Rule, AWS Lambda Function, Amazon SNS Topic and the correspondent Amazon IAM Roles.
Step 2: Confirm AWS SNS Topic subscription
After the Step1 completes, you should receive an email from “sns.amazonaws.com” with title of “AWS Notification – Subscription Confirmation” to the email address provided in Step1. The email content should look like below screenshot.
Figure 4: Subscription Confirmation Email
Click the “Confirm Subscription” link in the email to confirm the Amazon SNS topic subscription registered on this email address.
Note: You can verify the subscription status under Simple Notification Service > Topics > aws-config-demo-topic > Subscriptions tab like below.
Figure 5: AWS SNS Subscription Confirmed
Step 3: Create an AWS RDS instance
In this step, we’ll create an Amazon RDS instance of MySQL; which triggers the AWS Config rule to check the size of the instance to determine if the account administrators need to be alerted. In this example, the instance size created is “db.r6g.large“.
To create this Amazon RDS instance, complete the following steps:
- Sign in to the AWS Management Console
- Navigate to the Amazon RDS Console > Databases > “Create database”
- Choose “Easy create” option and “MySQL” as engine type
Figure 6: RDS Engine
- Choose “Dev/Test” as DB instance size and check the “Auto generate a password” option. We’ll remove this RDS instance after the walkthrough, so we don’t need to keep this password.
Figure 7: RDS Instance Size
- Leave the other options at default values and choose “Create database”. By default, this database will be created in default VPC or a new VPC if default VPC doesn’t exist. If this setup doesn’t suit your scenario, then you can choose “Standard create” and change the settings.
Figure 8: Create Database
- After this Amazon RDS instance is created, you should receive a notification email in your email box within a few minutes.
The AWS Lambda function invoked by the custom rule in AWS Config is checking if the Amazon RDS instance is created with a size of “db.t3.micro”. Therefore, this RDS instance is evaluated as non-compliant in AWS Config and an alert email is sent out. Below is the code snippet used in Lambda function to evaluate RDS instance resource.
def is_compliant(configurationItem):
logger.info(f"Resource to be evaluated->{configurationItem}")
if configurationItem['configuration']['dBInstanceClass'] == 'db.t3.micro':
return True
else:
return False
You can view the complete code of the Lambda function from Lambda > Functions > aws-config-demo-lambda > Code tab.
Cleaning up
To avoid incurring charges from the resources deployed in the walkthrough, delete them with the following steps.
- Delete AWS RDS Instance
- Delete AWS CloudFormation Stack
Conclusion
In this blog post, we discussed how to implement custom AWS Config rules to manage costs in your AWS account. We walked through a specific use case to validate the Amazon RDS instance type. If you would like to learn more about custom rules with AWS Config take a look at Setting up custom AWS Config rule that checks the OS CIS compliance.