AWS Config is enabled through Control Tower.

Market insights

Stack

Apply

Upload your CV — we will connect you with the employer directly through our pool.

Description

AWS Control Tower + AWS Config: Safe to temporarily disable SCP, modify recorder, and re-enable? Hi everyone, I'm working in an AWS Control Tower environment and trying to optimize AWS Config costs. Current setup: • AWS Config is enabled through Control Tower. • Recording strategy is "Record all resource types with customizable overrides". • Recording frequency is Continuous. The environment is generating a very large number of Configuration Items, leading to significant monthly costs. When I try to modify the Configuration Recorder, I get: AccessDenied config:PutConfigurationRecorder Context: A service control policy explicitly denies the action I traced this back to Control Tower preventive controls such as: • AWS-GR\\_CONFIG\\_CHANGE\\_PROHIBITED • AWS-GR\\_CONFIG\\_ENABLED • AWS-GR\\_CONFIG\\_RULE\\_CHANGE\\_PROHIBITED These are implemented using SCPs. My question is: Has anyone temporarily detached or disabled the Config-related SCP, updated the AWS Config recording strategy (for example, recording only compliance-critical resource types), and then reattached the SCP? Specifically, I'm trying to understand: 1. Is this a supported approach? 2. Does Control Tower detect this as drift and automatically revert the recorder? 3. Could this impact Control Tower guardrails or future landing zone updates? 4. Has anyone reduced the recording scope without breaking compliance or Control Tower functionality? Looking for real-world experiences and best practices before making any changes. Thanks! [link] [handle]

Employer contacts (email/phone/telegram) are hidden from the public preview — send your CV, and we will connect you directly.