Cost
You are responsible for the cost of the AWS services used to run this solution.
As of this revision, the estimated monthly costs are:
-
Small deployment (10 accounts, 1 region - US East/N. Virginia): Approximately $21.17 for 300 remediations/month
-
Medium deployment (100 accounts, 1 region - US East/N. Virginia): Approximately $134.86 for 3,000 remediations/month
-
Large deployment (1,000 accounts, 10 regions): Approximately $10,271.70 for 30,000 remediations/month
Important
Prices are subject to change. For full details, refer to the pricing page for each AWS service used in this solution.
Note
Many AWS Services include a Free Tier - a baseline amount of the service that customers can use at no charge. Actual costs may be more or less than the pricing examples provided.
We recommend creating a budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this solution.
Sample cost table
The total cost to run this solution depends on the following factors:
-
The number of AWS Security Hub member accounts
-
The number of active automatically-invoked remediations
-
The frequency of remediation
This solution uses the following AWS components, which incur a cost based on your configuration. Pricing examples are provided for small, medium, and large organizations.
| Service | Free Tier | Pricing [USD] |
|---|---|---|
|
100,000 steps per account per month |
Beyond the free tier, each basic step is charged at $0.002 per step. For multi-account automations, all steps including those run in any child accounts are counted only in the originating account. |
|
|
5,000 seconds per month |
Beyond the free tier, each aws:executeScript action step is charged at $0.00003 for every second after a free tier of 5,000 seconds per month. |
|
|
No free tier |
$0.046 per GB per month |
|
|
No free tier |
$0.900 per GB transferred (for cross-account or out-of-Region) |
|
|
No free tier |
First 100,000 checks/account/Region/month costs $0.0010 per check Next 400,000 checks/account/Region/month costs $0.0008 per check Over 500,000 checks/account/Region/month costs $0.0005 per check |
|
|
First 10,000 events/account/Region/month is free. Finding ingestion events associated with Security Hub’s security checks. |
Over 10,000 events/account/Region/month costs $0.00003 per event |
|
|
Basic Monitoring Metrics (at 5-minute frequency) 10 Detailed Monitoring Metrics (at 1-minute frequency) 1 Million API requests (not applicable to GetMetricData and GetMetricWidgetImage) |
First 10,000 metrics costs $0.30 metric/month Next 240,000 metrics costs $0.10 metric/month Next 750,000 metrics costs $0.05 metric/month Over 1,000,000 metrics costs $0.02 metric/month API calls cost $0.01 per 1,000 requests |
|
|
3 Dashboards for up to 50 metrics per month |
$3.00 per dashboard per month |
|
|
10 Alarm metrics (not applicable to high-resolution alarms) |
Standard Resolution (60 sec) costs $0.10 per alarmmetric High Resolution (10 sec) costs $0.30 per alarm metric Standard Resolution Anomaly Detection costs $0.30 per alarm High Resolution Anomaly Detection costs $0.90 per alarm Composite costs $0.50 per alarm |
|
|
5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries) |
$0.50 per GB |
|
|
5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries) |
$0.005 per GB of data scanned |
|
|
All events except custom events are included |
$1.00 per million events for custom events $1.00 per million events for cross-account events |
|
|
1M free requests per month |
$0.20 per 1M requests |
|
|
400,000 GB-seconds of compute time per month |
$0.0000166667 for every GB-second. The price for Duration depends on the amount of memory you allocate to your function. You can allocate any amount of memory to your function between 128MB and 10,240MB, in 1MB increments. |
|
|
4,000 free state transitions per month |
$0.025 per 1,000 state transitions thereafter |
|
|
All state change events published by AWS services are free |
Custom events cost $1.00/million custom events published Third-party (SaaS) events cost $1.00/million events published Cross-account events cost $1.00/million cross-account events sent |
|
|
First 1 million Amazon SNS requests per month are free |
$0.50 per 1 million requests thereafter |
|
|
First 1 million Amazon SQS requests per month are free |
$0.40 per 1 million to 100 billion requests thereafter |
|
|
First 25GB of storage is free |
$2.00 per 1 million consistent reads and writes thereafter |
|
|
20,000 requests/month |
$1.00 per 1 KMS key. For KMS keys that you rotate automatically or on demand, the first and second rotation of the key adds $1/month (prorated hourly) in cost. |
Pricing examples (monthly)
Example 1: 300 remediations per month
-
10 accounts, 1 Region
-
30 remediations per account/Region/month
-
Total cost $21.17 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 300 remediations * $0.002 = $2.40 Duration: 10s * 300 remediations * $0.00003 = $0.09 |
$2.49 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
300 remediations * $0.000002 = $0.0006 $0.0006 * 0.03 = $0.000018 |
< $0.01 |
|
AWS Lambda - Requests |
300 remediations * 6 requests = 1,800 requests $0.20 * 1,000,000 requests = $0.20 |
$0.20 |
|
AWS Lambda - Duration |
256M: 1.875 GB sec * 300 remediations * $0.0000167 = $0.009375 |
< $0.01 |
|
AWS Step Functions |
17 state transitions * 300 remediations = 5,100 $0.025 * (5,100/1,000) state transitions = $0.15 |
$0.15 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
1 key * 10 accounts * 1 Region * $1 = $10 |
$10.00 |
|
Amazon DynamoDB |
$2.00 * 1,000,000 read and writes = $2.00 |
$2.00 |
|
Amazon SQS |
$0.40 * 1,000,000 requests = $0.40 |
$0.40 |
|
Amazon SNS |
$0.50 * 1,000,000 notifications = $0.50 |
$0.50 |
|
Amazon CloudWatch - Metrics |
$0.30 * 7 custom metrics = $2.10 $0.01 * (300 * 3 / 1,000) put metrics API calls = $0.01 |
$2.11 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
$0.10 * 3 alarms = $0.30 |
$0.30 |
|
Total |
$21.17 |
Example 2: 3,000 remediations per month
-
100 accounts, 1 Region
-
30 remediations per account/Region/month
-
Total cost $134.86 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 3,000 remediations * $0.002 = $24.00 Duration: 10s * 3,000 remediations * $0.00003 = $0.90 |
$24.90 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
3,000 remediations * $0.000002 = $0.006 $0.006 * 0.03 = $0.00018 |
< $0.01 |
|
AWS Lambda - Requests |
3,000 remediations * 6 requests = 18,000 requests $0.20 * 1,000,000 requests = $0.20 |
$0.20 |
|
AWS Lambda - Duration |
256M: 1.875 GB sec * 3,000 remediations * $0.000167 = $0.09375 |
$0.09 |
|
AWS Step Functions |
17 state transitions * 3,000 remediations = 51,000 $0.025 * (51,000/1,000) state transitions = $1.275 |
$1.28 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
1 key * 100 accounts * 1 Region * $1 = $100 |
$100 |
|
Amazon DynamoDB |
$2.00 * 1,000,000 read and writes = $2.00 |
$2.00 |
|
Amazon SQS |
$0.40 * 1,000,000 requests = $0.40 |
$0.40 |
|
Amazon SNS |
$0.50 * 1,000,000 notifications = $0.50 |
$0.50 |
|
Amazon CloudWatch - Metrics |
$0.30 * 7 custom metrics = $2.10 $0.01 * (3000 * 3 / 1,000) put metrics API calls = $0.09 |
$2.19 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
$0.10 * 3 alarms = $0.30 |
$0.30 |
|
Total |
$134.86 |
Example 3: 30,000 remediations per months
-
1,000 accounts, 10 Regions
-
30 remediations per account/Region/month
-
Total cost $1,271.70 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS Systems Manager Automation |
Steps: ~4 steps * 30,000 remediations * $0.002 = $240.00 Duration: 10s * 30,000 remediations * $0.00003 = $9.00 |
$249.00 |
|
AWS Security Hub |
No billable services utilized |
$0 |
|
Amazon CloudWatch Logs |
30,000 remediations * $0.000002 = $0.06 $0.06 * 0.03 = $0.0018 |
< $0.01 |
|
AWS Lambda - Requests |
30,000 remediations * 6 requests = 180,000 requests $0.20 * 1,000,000 requests = $0.20 |
$0.20 |
|
AWS Lambda - Duration |
256M: 1.875 GB sec * 30,000 remediations * $0.000167 = $0.9375 |
$0.94 |
|
AWS Step Functions |
17 state transitions * 30,000 remediations = 510,000 $0.025 * (510,000/1,000) state transitions = $12.75 |
$12.75 |
|
Amazon EventBridge rules |
No charge for rules |
$0 |
|
AWS Key Management Service |
(1 key) $1 * 1,000 accounts * 10 Region = $10,000 |
$10,000 |
|
Amazon DynamoDB |
$0.000002 * 1,000,000 read and writes = $2.00 |
$2.00 |
|
Amazon SQS |
$0.000004 * 1,000,000 requests = $0.40 |
$0.40 |
|
Amazon SNS |
$0.000005 * 1,000,000 notifications = $0.50 |
$0.50 |
|
Amazon CloudWatch - Metrics |
$0.30 * 6 custom metrics = $1.80 $0.01 * (30,000 * 3 / 1,000) put metrics API calls = $0.90 |
$2.70 |
|
Amazon CloudWatch - Dashboards |
$3.00 * 1 dashboard = $3.00 |
$3.00 |
|
Amazon CloudWatch - Alarms |
$0.10 * 2 alarms = $0.20 |
$0.20 |
|
Total |
$10,271.70 |
Important
KMS Key Rotation Costs AWS Key Management Service (KMS) automatically rotates customer managed keys once per year when rotation is enabled. Each rotation incurs a cost of $1.00 per key per year. For example, with 1000 accounts in a single region, this results in an additional $1000/year (1 rotation × 1000 keys × $1.00).
Additional cost for optional features
This section identifies additional costs associated with optional features for this solution.
Enhanced CloudWatch metrics
If you select yes for the EnableEnhancedCloudWatchMetrics parameter when deploying the admin stack, the solution creates two custom metrics and one alarm for each control ID. The cost depends on the number of control IDs that you are remediating. In the following table, we assume that you are remediating all 96 different control IDs per month, to determine the upper bound of costs.
| Service | Assumptions 96 control IDs * 2 = 192 custom metrics | Monthly charges [USD] |
|---|---|---|
|
Amazon CloudWatch - Metrics |
$0.30 * 192 custom metrics = $57.60 |
$57.60 |
|
Amazon CloudWatch - Alarms |
$0.10 * 96 alarms = $9.60 |
$9.60 |
|
Total |
$67.20 |
CloudTrail Action Log
In each member account that you enable the Action Log feature for, the solutions creates a CloudTrail trail to log all write management events. A Lambda function filters out events not related to the solution. This means that the cost is related to the total number of management events in your account, since events not related to the solution are still captured by the trail and processed by the Lambda function.
For the following table, we assume 150,000 management events per month in the account. The actual cost depends on the actual management event activity in your account.
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
|
AWS CloudTrail |
150,000 * $2.00/100,000 = $3.00 |
$3.00 |
|
Lambda |
150,000 * 0.2 * 0.125 = 3,750 GB-seconds 3,750 * $0.0000166667 = $0.0625 compute time cost 0.15 * $0.20 = $0.03 request cost $0.0625 + $0.03 = $0.0952 total Lambda cost |
$0.0925 |
|
Total |
$3.09 per member account |
