Cost
You are responsible for the cost of the AWS services used to run this solution.
As of this revision, the estimated monthly costs are:
-
Small deployment (10 accounts, 1 region - US East/N. Virginia): Approximately $20.73 for 300 remediations/month
-
Medium deployment (100 accounts, 1 region - US East/N. Virginia): Approximately $136.57 for 3,000 remediations/month
-
Large deployment (1,000 accounts, 10 regions): Approximately $10,460.80 for 30,000 remediations/month
Important
Prices are subject to change. For full details, refer to the pricing page for each AWS service used in this solution.
Note
Many AWS Services include a Free Tier - a baseline amount of the service that customers can use at no charge. Actual costs may be more or less than the pricing examples provided.
We recommend creating a budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this solution.
Sample cost table
The total cost to run this solution depends on the following factors:
-
The number of AWS Security Hub member accounts
-
The number of active automatically-invoked remediations
-
The frequency of remediation
This solution uses the following AWS components, which incur a cost based on your configuration. Pricing examples are provided for small, medium, and large organizations.
| Service | Free Tier | Pricing [USD] |
|---|---|---|
|
No free tier |
Each basic step is charged at $0.002 per step. For multi-account automations, all steps including those run in any child accounts are counted only in the originating account. |
|
|
No free tier |
Each |
|
|
No free tier |
$0.046 per GB per month |
|
|
No free tier |
$0.900 per GB transferred (for cross-account or out-of-Region) |
|
|
No free tier |
First 100,000 checks/account/Region/month costs $0.0010 per check Next 400,000 checks/account/Region/month costs $0.0008 per check Over 500,000 checks/account/Region/month costs $0.0005 per check |
|
|
First 10,000 events/account/Region/month is free. Finding ingestion events associated with Security Hub’s security checks. |
Over 10,000 events/account/Region/month costs $0.00003 per event |
|
|
Basic Monitoring Metrics (at 5-minute frequency) 10 Detailed Monitoring Metrics (at 1-minute frequency) 1 1 Million API requests (not applicable to GetMetricData, GetInsightRuleReport and GetMetricWidgetImage) |
First 10,000 metrics costs $0.30 metric/month Next 240,000 metrics costs $0.10 metric/month Next 750,000 metrics costs $0.05 metric/month Over 1,000,000 metrics costs $0.02 metric/month API calls cost $0.01 per 1,000 requests |
|
|
3 Dashboards for up to 50 metrics per month |
$3.00 per dashboard per month |
|
|
10 Alarm metrics (not applicable to high-resolution alarms) |
Standard Resolution (60 sec) costs $0.10 per alarmmetric High Resolution (10 sec) costs $0.30 per alarm metric Standard Resolution Anomaly Detection costs $0.30 per alarm High Resolution Anomaly Detection costs $0.90 per alarm Composite costs $0.50 per alarm |
|
|
5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries) |
$0.50 per GB |
|
|
5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries) |
$0.005 per GB of data scanned |
|
|
1M free requests per month |
$0.20 per 1M requests |
|
|
400,000 GB-seconds of compute time per month |
$0.0000166667 for every GB-second. The price for Duration depends on the amount of memory you allocate to your function. You can allocate any amount of memory to your function between 128MB and 10,240MB, in 1MB increments. |
|
|
4,000 free state transitions per month |
$0.025 per 1,000 state transitions thereafter |
|
|
All state change events published by AWS services are free |
Custom events cost $1.00/million custom events published Third-party (SaaS) events cost $1.00/million events published Cross-account events cost $1.00/million cross-account events sent |
|
|
First 1 million Amazon SNS requests per month are free |
$0.50 per 1 million requests thereafter |
|
|
First 1 million Amazon SQS requests per month are free |
$0.40 per 1 million to 100 billion requests thereafter |
|
|
First 25GB of storage is free |
$2.00 per 1 million consistent reads and writes thereafter |
|
|
20,000 requests/month |
$1.00 per 1 KMS key. For KMS keys that you rotate automatically or on demand, the first and second rotation of the key adds $1/month (prorated hourly) in cost. |
|
|
In the Essentials tier, the first 10,000 Monthly Active Users are free. Note: This free tier is 50 Monthly Active Users when users authenticate via external IdP (SAML/OIDC). |
$0.015 per Monthly Active User greater than 10,000 users. |
|
|
Free tier includes 1 TB of data transfer out and 10,000,000 HTTP or HTTPS Requests per month. |
(US/Canada/Mexico) First 9TB is $0.085 per month. Next 40TB is $0.080 per month. $0.0075 per HTTP request. $0.0100 per HTTPS request. |
|
|
No Free Tier |
First 50 TB is $0.023 per GB per month. $0.005 per 1,000 PUT, COPY, POST, LIST requests. $0.0004 per 1,000 GET, SELECT, and all other requests. |
|
|
1 Million REST API calls in the first 12 months of usage. |
$3.50 per million for the first 333 million API calls. |
Pricing examples (monthly)
Example 1: 300 remediations per month
-
10 accounts, 1 Region
-
30 remediations per account/Region/month
-
500 Security Hub findings processed per account/Region/month
-
Web UI disabled
-
Action Log disabled
-
Total cost $20.73 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 300 remediations * $0.002 = $2.40 Duration: 10s * 300 remediations * $0.00003 = $0.09 |
$2.49 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
$0.50 per GB |
< $0.01 |
|
AWS Lambda - Requests |
300 remediations * 7 requests = 2,100 requests 5,000 findings * 1 request = 5,000 requests $0.20 / 1,000,000 requests = $0.0000002 per request |
$0.00142 |
|
AWS Lambda - Duration |
(512MB Memory) 4,000ms * 300 remediations * $0.0000000083 = $0.00996 449ms * 5,000 findings * $0.0000000083 = $.0186 |
$0.029 |
|
AWS Step Functions |
19 state transitions * 300 remediations = 5,700 $0.025 * (5,700/1,000) state transitions = $0.14 |
$0.14 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
1 key * 10 accounts * 1 Region * $1 = $10 (Encrypt/Decrypt API requests) (300 remediations * 2 requests) + (5,000 findings * 4 requests) = 20,600 requests $0.03 per 10,000 requests ⇒ $0.03 * (20,600 / 10,000) = $0.06 |
$10.06 |
|
Amazon DynamoDB |
$2.00 * 1,000,000 read and writes = $2.00 (Findings Table) 15MB * 10 accounts * 1 region = 150MB (History Table) 10MB * 10 accounts * 1 region = 100MB $0.25 per GB-month * 0.25 GB = $0.0625 |
$2.0625 |
|
Amazon SQS |
$0.40 * 1,000,000 requests = $0.40 |
$0.40 |
|
Amazon SNS |
$0.50 * (600 / 1,000,000 notifications) = $0.0003 |
$0.0003 |
|
Amazon CloudWatch - Metrics |
(Enhanced Metrics Disabled) $0.30 * 7 custom metrics = $2.10 $0.01 * (300 put metrics API calls / 1,000) = $0.003 |
$2.10 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
(Enhanced Metrics Disabled) $0.10 * 4 alarms = $0.40 |
$0.40 |
|
Amazon CloudWatch - X-Ray Traces |
300 remediations * 7 requests = 2,100 Lambda invocations 5,000 findings * 1 request = 5,000 Lambda invocations $0.000005 per trace * 7,100 traces = $0.0355 |
$0.0355 |
|
Total |
$20.73 |
Example 2: 300 remediations per month (Web UI Enabled)
-
10 accounts, 1 Region
-
30 remediations per account/Region/month
-
5,000 Security Hub findings processed per account/Region/month
-
Web UI enabled
-
Action Log disabled
-
Total cost $36.35 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 300 remediations * $0.002 = $2.40 Duration: 10s * 300 remediations * $0.00003 = $0.09 |
$2.49 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
$0.50 per GB |
< $0.01 |
|
AWS Lambda - Requests |
300 remediations * 7 requests = 2,100 requests 5,000 findings * 1 request = 5,000 requests $0.20 / 1,000,000 requests = $0.0000002 per request |
$0.00142 |
|
AWS Lambda - Duration |
(512MB Memory) 4,000ms * 300 remediations * $0.0000000083 = $0.00996 449ms * 5,000 findings * $0.0000000083 = $.0186 |
$0.029 |
|
AWS Step Functions |
19 state transitions * 300 remediations = 5,700 $0.025 * (5,700/1,000) state transitions = $0.14 |
$0.14 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
1 key * 10 accounts * 1 Region * $1 = $10 (Encrypt/Decrypt API requests) (300 remediations * 2 requests) + (5,000 findings * 4 requests) = 20,600 requests $0.03 per 10,000 requests ⇒ $0.03 * (20,600 / 10,000) = $0.06 |
$10.06 |
|
Amazon DynamoDB |
$2.00 * 1,000,000 read and writes = $2.00 (Findings Table) 15MB * 10 accounts * 1 region = 150MB (History Table) 10MB * 10 accounts * 1 region = 100MB $0.25 per GB-month * 0.25 GB = $0.0625 |
$2.0625 |
|
Amazon SQS |
$0.40 * 1,000,000 requests = $0.40 |
$0.40 |
|
Amazon SNS |
$0.50 * (600 / 1,000,000 notifications) = $0.0003 |
$0.0003 |
|
Amazon CloudWatch - Metrics |
(Enhanced Metrics Disabled) $0.30 * 7 custom metrics = $2.10 $0.01 * (300 put metrics API calls / 1,000) = $0.003 |
$2.10 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
(Enhanced Metrics Disabled) $0.10 * 4 alarms = $0.40 |
$0.40 |
|
Amazon CloudWatch - X-Ray Traces |
300 remediations * 7 requests = 2,100 Lambda invocations 5,000 findings * 1 request = 5,000 Lambda invocations $0.000005 per trace * 7,100 traces = $0.0355 |
$0.0355 |
|
Amazon Cognito |
(Essentials Tier) 500 Monthly Active Users |
$0 |
|
Amazon CloudFront |
Regional Data Transfer Out to Origin (per GB) = $0.020 Regional Data Transfer Out to Internet (per GB) = $0.085 Request Pricing for All HTTP Methods (per 10,000) = $0.0075 |
$0.1125 |
|
Amazon S3 |
(UI Hosting) $0.023 per GB * 0.002 GB = $0.000046 (History Export) $0.023 per GB * 0.50 GB = $0.0125 $0.0004 per 1,000 GET requests |
$0.0125 |
|
AWS WAF |
1 Web ACL = $5.00 per month 7 rules * $1.00 per rule = $7.00 |
$12 |
|
Amazon API Gateway |
$3.50 per million REST API calls |
$3.50 |
|
Total |
$36.35 |
Example 3: 3,000 remediations per month
-
100 accounts, 1 Region
-
30 remediations per account/Region/month
-
500 Security Hub findings processed per account/Region/month
-
Web UI disabled
-
Action Log disabled
-
Total cost $136.57 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 3,000 remediations * $0.002 = $24.00 Duration: 10s * 3,000 remediations * $0.00003 = $0.90 |
$24.90 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
$0.50 per GB |
< $0.01 |
|
AWS Lambda - Requests |
3,000 remediations * 7 requests = 2,100 requests 50,000 findings * 1 request = 50,000 requests $0.20 / 1,000,000 requests = $0.0000002 per request |
$0.01 |
|
AWS Lambda - Duration |
(512MB Memory) 4,000ms * 3,000 remediations * $0.0000000083 = $0.0996 449ms * 50,000 findings * $0.0000000083 = $0.186 |
$0.29 |
|
AWS Step Functions |
19 state transitions * 3,000 remediations = 57,000 $0.025 * (57,000/1,000) state transitions = $1.425 |
$1.425 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
1 key * 100 accounts * 1 Region * $1 = $100 (Encrypt/Decrypt API requests) (3,000 remediations * 2 requests) + (50,000 findings * 4 requests) = 206,000 requests $0.03 per 10,000 requests ⇒ $0.03 * (206,000 / 10,000) = $0.618 |
$100.618 |
|
Amazon DynamoDB |
$2.00 * 1,000,000 read and writes = $2.00 (Findings Table) 15MB * 100 accounts * 1 region = 1,500MB (History Table) 10MB * 100 accounts * 1 region = 1,000MB $0.25 per GB-month * 2.5 GB = $0.625 |
$2.625 |
|
Amazon SQS |
$0.40 * 1,000,000 requests = $0.40 |
$0.40 |
|
Amazon SNS |
$0.50 * 1,000,000 notifications = $0.50 |
$0.50 |
|
Amazon CloudWatch - Metrics |
(Enhanced Metrics Disabled) $0.30 * 7 custom metrics = $2.10 $0.01 * (3000 / 1,000) put metrics API calls = $0.03 |
$2.13 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
$0.10 * 4 alarms = $0.40 |
$0.40 |
|
Amazon CloudWatch - X-Ray Traces |
3,000 remediations * 7 requests = 2,100 Lambda invocations 50,000 findings * 1 request = 50,000 Lambda invocations $0.000005 per trace * 52,100 traces = $0.2605 |
$0.2605 |
|
Total |
$136.57 |
Example 4: 30,000 remediations per month
-
1,000 accounts, 10 Regions
-
30 remediations per account/Region/month
-
500 Security Hub findings processed per account/Region/month
-
Web UI disabled
-
Action Log disabled
-
Total cost $10,460.80 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 30,000 remediations * $0.002 = $240.00 Duration: 10s * 30,000 remediations * $0.00003 = $9.00 |
$249.00 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
$0.50 per GB |
< $0.01 |
|
AWS Lambda - Requests |
30,000 remediations * 7 requests = 210,000 requests 5,000,000 findings * 1 request = 5,000,000 requests $0.20 / 1,000,000 requests = $0.0000002 per request |
$1.042 |
|
AWS Lambda - Duration |
(512MB Memory) 4,000ms * 30,000 remediations * $0.0000000083 = $0.996 449ms * 5,000,000 findings * $0.0000000083 = $18.63 |
$19.63 |
|
AWS Step Functions |
19 state transitions * 30,000 remediations = 570,000 $0.025 * (570,000/1,000) state transitions = $14.25 |
$14.25 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
(1 key) $1 * 1,000 accounts * 10 Region = $10,000 (Encrypt/Decrypt API requests) (30,000 remediations * 2 requests) + (5,000,000 findings * 4 requests) = 20,060,000 requests $0.03 per 10,000 requests ⇒ $0.03 * (20,060,000 / 10,000) = $60.18 |
$10,060.18 |
|
Amazon DynamoDB |
$2.00 * (10,000,000 read and writes / 1,000,000) = $20.00 (Findings Table) 15MB * 1000 accounts * 10 region = 150GB (History Table) 10MB * 1000 accounts * 10 region = 100GB $0.25 per GB-month * 250 GB = $62.50 |
$82.50 |
|
Amazon SQS |
$0.40 * (5,060,000 requests / 1,000,000 ) = $2.024 |
$2.024 |
|
Amazon SNS |
$0.000005 * 1,000,000 notifications = $0.50 |
$0.50 |
|
Amazon CloudWatch - Metrics |
(Enhanced Metrics Disabled) $0.30 * 7 custom metrics = $2.10 $0.01 * (30,000 / 1,000) put metrics API calls = $0.30 |
$2.40 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
(Enhanced Metrics Disabled) $0.10 * 4 alarms = $0.40 |
$0.40 |
|
Amazon CloudWatch - X-Ray Traces |
30,000 remediations * 7 requests = 210,000 Lambda invocations 5,000,000 findings * 1 request = 5,000,000 Lambda invocations $0.000005 per trace * 5,210,000 traces = $26.05 |
$26.05 |
|
Total |
$10,460.80 |
Example 5: 30,000 remediations per month (Web UI Enabled)
-
1,000 accounts, 10 Regions
-
30 remediations per account/Region/month
-
500 Security Hub findings processed per account/Region/month
-
Web UI enabled
-
Action Log disabled
-
Total cost $10,480.90 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 30,000 remediations * $0.002 = $240.00 Duration: 10s * 30,000 remediations * $0.00003 = $9.00 |
$249.00 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
$0.50 per GB |
< $0.01 |
|
AWS Lambda - Requests |
30,000 remediations * 7 requests = 210,000 requests 5,000,000 findings * 1 request = 5,000,000 requests $0.20 / 1,000,000 requests = $0.0000002 per request |
$1.042 |
|
AWS Lambda - Duration |
(512MB Memory) 4,000ms * 30,000 remediations * $0.0000000083 = $0.996 449ms * 5,000,000 findings * $0.0000000083 = $18.63 |
$19.63 |
|
AWS Step Functions |
19 state transitions * 30,000 remediations = 570,000 $0.025 * (570,000/1,000) state transitions = $14.25 |
$14.25 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
(1 key) $1 * 1,000 accounts * 10 Region = $10,000 (Encrypt/Decrypt API requests) (30,000 remediations * 2 requests) + (5,000,000 findings * 4 requests) = 20,060,000 requests $0.03 per 10,000 requests ⇒ $0.03 * (20,060,000 / 10,000) = $60.18 |
$10,060.18 |
|
Amazon DynamoDB |
$2.00 * (10,000,000 read and writes / 1,000,000) = $20.00 (Findings Table) 15MB * 1000 accounts * 10 region = 150GB (History Table) 10MB * 1000 accounts * 10 region = 100GB $0.25 per GB-month * 250 GB = $62.50 |
$82.50 |
|
Amazon SQS |
$0.40 * (5,060,000 requests / 1,000,000 ) = $2.024 |
$2.024 |
|
Amazon SNS |
$0.000005 * 1,000,000 notifications = $0.50 |
$0.50 |
|
Amazon CloudWatch - Metrics |
(Enhanced Metrics Disabled) $0.30 * 7 custom metrics = $2.10 $0.01 * (30,000 / 1,000) put metrics API calls = $0.30 |
$2.40 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
(Enhanced Metrics Disabled) $0.10 * 4 alarms = $0.40 |
$0.40 |
|
Amazon CloudWatch - X-Ray Traces |
30,000 remediations * 7 requests = 210,000 Lambda invocations 5,000,000 findings * 1 request = 5,000,000 Lambda invocations $0.000005 per trace * 5,210,000 traces = $26.05 |
$26.05 |
|
Amazon Cognito |
(Essentials Tier) 5,000 Monthly Active Users |
$0 |
|
Amazon CloudFront |
Regional Data Transfer Out to Origin (per GB) = $0.020 Regional Data Transfer Out to Internet (per GB) = $0.085 Request Pricing for All HTTP Methods (per 10,000) = $0.0075 |
$0.1125 |
|
Amazon S3 |
(UI Hosting) $0.023 per GB * 0.002 GB = $0.000046 (History Export) $0.023 per GB * 100 GB = $2.30 $0.0004 per 1,000 GET requests * 5,000 requests = $2.00 |
$4.30 |
|
AWS WAF |
1 Web ACL = $5.00 per month 7 rules * $1.00 per rule = $7.00 |
$12 |
|
Amazon API Gateway |
$3.50 per million REST API calls |
$3.50 |
|
Total |
$10,480.90 |
Important
KMS Key Rotation Costs AWS Key Management Service (KMS) automatically rotates customer managed keys once per year when rotation is enabled. Each rotation incurs a cost of $1.00 per key per year. For example, with 1000 accounts in a single region, this results in an additional $1000/year (1 rotation × 1000 keys × $1.00).
Additional cost for optional features
This section identifies additional costs associated with optional features for this solution.
Enhanced CloudWatch metrics
If you select yes for the EnableEnhancedCloudWatchMetrics parameter when deploying the admin stack, the solution creates two custom metrics and one alarm for each control ID. The cost depends on the number of control IDs that you are remediating. In the following table, we assume that you are remediating all 96 different control IDs per month, to determine the upper bound of costs.
| Service | Assumptions 96 control IDs * 2 = 192 custom metrics | Monthly charges [USD] |
|---|---|---|
|
Amazon CloudWatch - Metrics |
$0.30 * 192 custom metrics = $57.60 |
$57.60 |
|
Amazon CloudWatch - Alarms |
$0.10 * 96 alarms = $9.60 |
$9.60 |
|
Total |
$67.20 |
CloudTrail Action Log
In each member account that you enable the Action Log feature for, the solutions creates a CloudTrail trail to log all write management events. A Lambda function filters out events not related to the solution. This means that the cost is related to the total number of management events in your account, since events not related to the solution are still captured by the trail and processed by the Lambda function.
For the following table, we assume 150,000 management events per month in the account. The actual cost depends on the actual management event activity in your account.
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS CloudTrail |
150,000 * $2.00/100,000 = $3.00 |
$3.00 |
|
Lambda |
150,000 * 0.2 * 0.125 = 3,750 GB-seconds 3,750 * $0.0000166667 = $0.0625 compute time cost 0.15 * $0.20 = $0.03 request cost $0.0625 + $0.03 = $0.0952 total Lambda cost |
$0.0925 |
|
Total |
$3.09 per member account |
