Response to unexpected AWS Config cost increases after enabling AWS Systems Manager integrated console
Hello. My name is Kimura from the Cloud Business Division.
Have you been using the AWS Systems Manager integrated console that was added in last year's update? I think it was quite a good update that made it easier to check environments with many EC2 instances across multiple accounts.
Article from when AWS Systems Manager integrated console was added
However, there are cases where unexpected cost increases can occur if you don't take precautions when enabling and using it, so in this article I'd like to summarize the examples, how to check for issues, and how to address them.
Conclusion First
- When Amazon Inspector and AWS Systems Manager integrated console's inventory metadata collection are enabled simultaneously, there are cases where Config costs may increase.
- In addition to the above, if there are three or more associations of
AWS-GatherSoftwareInventoryvia SSM Quick Setup, etc., costs may increase even further. - The breakdown of Config recording counts can be checked from CloudWatch.
- In cases where records are increasing, disabling the AWS Systems Manager integrated console's inventory metadata collection can help suppress costs.
About Cost Increases
Factors Leading to Cost Increases
First, the cause of the cost increase is due to an increase in the number of Config recordings.
With Config's default continuous recording state, each recording costs USD 0.003 (in the Tokyo region).
When the conditions described below align, a large number of SSM::AssociationCompliance records are created. This is caused by numerous recordings of the AWS-GatherSoftwareInventory association compliance frequently alternating between COMPLIANT⇔NON_COMPLIANT states.
For reference only, in environments where Inspector, SSM Quick Setup, and integrated console inventory metadata collection were associated, approximately 100 recordings per day per instance were observed on average. (→About 0.3 USD cost increase)
In an example environment with 100 instances running, this is estimated to increase costs by about 900 USD per month.
Conditions That Lead to Cost Increases
After testing in three environments (two multi-account and one single-account), we confirmed that SSM::AssociationCompliance is regularly recorded when the following conditions are met:
- EC2 instances are running and under SSM management.
AWS-GatherSoftwareInventoryis associated with SSM. (Mainly expected with Inspector, SSM Quick Setup, etc.)- AWS Systems Manager integrated console's inventory metadata collection is enabled.
As introduced in the blog below, it is presumed that unexpected issues occur when multiple AWS-GatherSoftwareInventory executions run:
Additionally, we confirmed that when multiple AWS-GatherSoftwareInventory associations are made (Inspector enabled and SSM Quick Setup), records are created even more frequently. If your case meets these conditions, the cost example mentioned earlier (cost increase of 0.3 USD per instance) can be expected, so I recommend checking your record count urgently.## Checking the number of Config records
To determine if the number of SSM::AssociationCompliance records is causing cost increases, checking the number of Config records is the most reliable and easiest method.
For details, please refer to the following blog which provides a clear explanation.
As introduced in the above blog, you can check how many SSM::AssociationCompliance records are being recorded as shown below.
-
Number of records in an environment where Amazon Inspector is enabled, AWS Systems Manager integrated console inventory metadata collection is enabled, and one instance is running
-
Number of records in an environment where Amazon Inspector is enabled, AWS Systems Manager integrated console inventory metadata collection is enabled, AWS-GatherSoftwareInventory is associated through SSM Quick Setup, and one instance is running
As you can see, it's easy to check the number of records.
If there are many records, please consider the following measures.
Solutions
As already blogged, an update in May 2025 has made it possible to customize AWS Systems Manager integrated console inventory metadata collection.
For update details, please refer to the following blog.
By using this newly added feature, you can stop the AWS Systems Manager integrated console inventory metadata collection, which is one of the conditions causing cost increases.
To stop it, you need to follow these steps.
First, select Edit from the settings screen to navigate to the edit screen.
From the settings screen, uncheck "Enable inventory metadata collection" and select Submit.
If you're enabling this from now on, uncheck the following box when enabling it.
By taking this action, we were able to confirm that the continuous recording of SSM::AssociationCompliance was stopped.
Also, we confirmed that the AWS-GatherSoftwareInventory association created by Inspector, etc., that was used from the beginning remains, and inventory collection continues to be performed.## Summary
I introduced an example where the AWS Systems Manager integrated console, while being a convenient and very good feature, can cause unintended cost increases in some cases.
I hope you will check if such unintended charges are occurring in your environment as well.
When I first noticed the cost increase, it took time to understand the reason. I hope this article helps you identify the cause and leads to cost reduction for everyone.
This was brought to you by Kimura from the Cloud Business Division.
