I tried customizing the Config Recorder settings in Control Tower management

2025.08.31
Hello, I'm Itakura from the Consulting Department in the Cloud Business Division.
 IntroductionThe AWS Config Recorder configuration created by AWS Control Tower records "all resource types with customizable overrides" in "continuous" mode, as shown below.

When using Lambda in VPC, ECS / Fargate, Auto Scaling, etc., ENI creation and deletion may occur frequently, which can cause AWS Config costs to skyrocket for certain systems running on AWS.
In such cases, you might want to exclude the resource type: AWS EC2 NetworkInterface from recording via override settings, but you should not make this change directly in the management console. In fact, you cannot make the change.

This is because the SCP created by Control Tower restricts changes to the Config Recorder settings.
In this article, I will introduce how to modify AWS Config Recorder settings created by Control Tower, with reference to the following AWS official blog post.

Customize AWS Config Resource Tracking in AWS Control Tower Environment | Amazon Web Services Blog
 Let's Try It Download the TemplateDownload the template.yml file from the Git repository below.

https://github.com/aws-samples/aws-control-tower-config-customization### Deploy Template with Management Account

Navigate to the CloudFormation service page in the Control Tower home region on the management account, and click "Create stack" then "With new resources (standard)".

Select and upload the following, then click "Next":
Prepare template: Choose existing template
Template source: Upload a template file
Upload template file: template.yml

Enter the following information and click "Next":
Stack name: (enter as appropriate)
CloudFormationVersion
OK to leave as 1 for the initial deployment

ExcludedAccounts
According to the notes, you need to include at least the management account, log archive account, and audit account IDs

ConfigRecorderExcludedResourceTypes: AWS::EC2::NetworkInterface
Enter resource types to exclude from recording
It's recommended to copy and paste from the Resource Type Value in Resource types supported by AWS Config

ConfigRecorderDailyResourceTypes, ConfigRecorderDailyGlobalResourceTypes
You can specify resource types to be set as daily rather than continuous
I left these empty for this implementation

Other items were left at their defaults

On the "Configure stack options" screen, leave the defaults, check the acknowledgment at the bottom, and click "Next".

On the "Review and create" screen, after confirming the parameters, click "Submit" at the bottom of the page.

In my environment, the deployment was completed in about 2 minutes.
 Check Config Settings in Member AccountsLog in to a member account and check the settings from the AWS Config service page.

When opening a resource type with override settings, I confirmed that AWS EC2 NetworkInterface has been changed to excluded from recording.

## Finally

I introduced a method to customize the Config recorder settings managed by Control Tower.

This time we only set up AWS EC2 NetworkInterface to be excluded from recording, but if you have resource types that you want to change to daily recording, you can configure this by entering the target resource types in ConfigRecorderDailyResourceTypes (or ConfigRecorderDailyGlobalResourceTypes).
If you had given up on customizing Config recorders because you thought resources managed by Control Tower couldn't be changed, I hope you'll consider using this solution.
I hope this article is helpful to someone.