# Plan your deployment
<a name="plan-your-deployment"></a>

This section describes the cost, network security, supported AWS Regions, quotas, and other considerations prior to deploying the solution.

# Cost
<a name="cost"></a>

You are responsible for the cost of the AWS services used to run this solution.

As of this revision, the estimated monthly costs are:
+ Small deployment (10 accounts, 1 region - US East/N. Virginia): Approximately \$114.70 for 300 remediations/month
+ Medium deployment (100 accounts, 1 region - US East/N. Virginia): Approximately \$1106.40 for 3,000 remediations/month
+ Large deployment (1,000 accounts, 10 regions): Approximately \$17,360.00 for 30,000 remediations/month

**Important**  
Prices are subject to change. For full details, refer to the pricing page for each AWS service used in this solution.

**Note**  
Many AWS Services include a Free Tier - a baseline amount of the service that customers can use at no charge. Actual costs may be more or less than the pricing examples provided.

We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this solution.

## Sample cost table
<a name="sample-cost-table"></a>

The total cost to run this solution depends on the following factors:
+ The number of AWS Security Hub member accounts
+ The number of active automatically-invoked remediations
+ The frequency of remediation

This solution uses the following AWS components, which incur a cost based on your configuration. Pricing examples are provided for small, medium, and large organizations.


| Service | Free Tier | Pricing [USD] | 
| --- | --- | --- | 
|   [AWS Systems Manager Automation - Step Count](https://aws.amazon.com/systems-manager/pricing/)   |  No free tier  |  Each basic step is charged at \$10.002 per step. For multi-account automations, all steps including those run in any child accounts are counted only in the originating account.  | 
|   [AWS Systems Manager Automation - Step Duration](https://aws.amazon.com/systems-manager/pricing/)   |  No free tier  |  Each `aws:executeScript` action step is charged at \$10.00003 for every second.  | 
|   [AWS Systems Manager Automation - Storage](https://aws.amazon.com/systems-manager/pricing/)   |  No free tier  |  \$10.046 per GB per month  | 
|   [AWS Systems Manager Automation - Data Transfer](https://aws.amazon.com/systems-manager/pricing/)   |  No free tier  |  \$10.900 per GB transferred (for cross-account or out-of-Region)  | 
|   [AWS Security Hub CSPM - Security Checks](https://aws.amazon.com/security-hub/cspm/pricing/)   |  No free tier  |  First 100,000 checks/account/Region/month costs \$10.0010 per check Next 400,000 checks/account/Region/month costs \$10.0008 per check Over 500,000 checks/account/Region/month costs \$10.0005 per check  | 
|   [AWS Security Hub CSPM - Finding Ingestion Events](https://aws.amazon.com/security-hub/cspm/pricing/)   |  First 10,000 events/account/Region/month is free. Finding ingestion events associated with Security Hub’s security checks.  |  Over 10,000 events/account/Region/month costs \$10.00003 per event  | 
|   [Amazon CloudWatch - Metrics](https://aws.amazon.com/cloudwatch/pricing/)   |  Basic Monitoring Metrics (at 5-minute frequency) 10 Detailed Monitoring Metrics (at 1-minute frequency) 1 1 Million API requests (not applicable to GetMetricData, GetInsightRuleReport and GetMetricWidgetImage)  |  First 10,000 metrics costs \$10.30 metric/month Next 240,000 metrics costs \$10.10 metric/month Next 750,000 metrics costs \$10.05 metric/month Over 1,000,000 metrics costs \$10.02 metric/month API calls cost \$10.01 per 1,000 requests  | 
|   [Amazon CloudWatch - Dashboard](https://aws.amazon.com/cloudwatch/pricing/)   |  3 Dashboards for up to 50 metrics per month  |  \$13.00 per dashboard per month  | 
|   [Amazon CloudWatch - Alarms](https://aws.amazon.com/cloudwatch/pricing/)   |  10 Alarm metrics (not applicable to high-resolution alarms)  |  Standard Resolution (60 sec) costs \$10.10 per alarmmetric High Resolution (10 sec) costs \$10.30 per alarm metric Standard Resolution Anomaly Detection costs \$10.30 per alarm High Resolution Anomaly Detection costs \$10.90 per alarm Composite costs \$10.50 per alarm  | 
|   [Amazon CloudWatch - Logs Collection](https://aws.amazon.com/cloudwatch/pricing/)   |  5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries)  |  \$10.50 per GB  | 
|   [Amazon CloudWatch - Logs Storage](https://aws.amazon.com/cloudwatch/pricing/)   |  5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries)  |  \$10.005 per GB of data scanned  | 
|   [AWS Lambda - Requests](https://aws.amazon.com/lambda/pricing/)   |  1M free requests per month  |  \$10.20 per 1M requests  | 
|   [AWS Lambda - Duration](https://aws.amazon.com/lambda/pricing/)   |  400,000 GB-seconds of compute time per month  |  \$10.0000166667 for every GB-second. The price for Duration depends on the amount of memory you allocate to your function. You can allocate any amount of memory to your function between 128MB and 10,240MB, in 1MB increments.  | 
|   [AWS Step Functions - State Transitions](https://aws.amazon.com/step-functions/pricing/)   |  4,000 free state transitions per month  |  \$10.025 per 1,000 state transitions thereafter  | 
|   [Amazon EventBridge](https://aws.amazon.com/eventbridge/pricing/)   |  All state change events published by AWS services are free  |  Custom events cost \$11.00/million custom events published Third-party (SaaS) events cost \$11.00/million events published Cross-account events cost \$11.00/million cross-account events sent  | 
|   [Amazon SNS](https://aws.amazon.com/sns/pricing/)   |  First 1 million Amazon SNS requests per month are free  |  \$10.50 per 1 million requests thereafter  | 
|   [Amazon SQS](https://aws.amazon.com/sqs/pricing/)   |  First 1 million Amazon SQS requests per month are free  |  \$10.40 per 1 million to 100 billion requests thereafter  | 
|   [Amazon DynamoDB](https://aws.amazon.com/dynamodb/pricing/)   |  First 25GB of storage is free  |  \$12.00 per 1 million consistent reads and writes thereafter  | 
|   [AWS Key Management Service](https://aws.amazon.com/kms/pricing/)   |  20,000 requests/month  |  \$11.00 per 1 KMS key. \$10.03 per 10,000 API requests. For KMS keys that you rotate automatically or on demand, the first and second rotation of the key adds \$11/month (prorated hourly) in cost.  **Note: This solution includes KMS caching optimizations (S3 Bucket Keys, 60-minute SQS data key reuse, 5-minute Secrets Manager caching) that reduce KMS API calls by approximately 70%.**   | 
|   [Amazon Cognito](https://aws.amazon.com/cognito/pricing/)   |  In the Essentials tier, the first 10,000 Monthly Active Users are free. Note: This free tier is 50 Monthly Active Users when users authenticate via external IdP (SAML/OIDC).  |  \$10.015 per Monthly Active User greater than 10,000 users.  | 
|   [Amazon CloudFront](https://aws.amazon.com/cloudfront/pricing/)   |  Free tier includes 1 TB of data transfer out and 10,000,000 HTTP or HTTPS Requests per month.  |  (US/Canada/Mexico) First 9TB is \$10.085 per month. Next 40TB is \$10.080 per month. \$10.0075 per HTTP request. \$10.0100 per HTTPS request.  | 
|   [Amazon S3](https://aws.amazon.com/s3/pricing/)   |  No Free Tier  |  First 50 TB is \$10.023 per GB per month. \$10.005 per 1,000 PUT, COPY, POST, LIST requests. \$10.0004 per 1,000 GET, SELECT, and all other requests.  | 
|   [Amazon API Gateway](https://aws.amazon.com/api-gateway/pricing/)   |  1 Million REST API calls in the first 12 months of usage.  |  \$13.50 per million for the first 333 million API calls.  | 

## KMS cost optimization
<a name="kms-optimization"></a>

Since **version 3.1.0**, this solution includes KMS caching optimizations that reduce cryptographic operation costs by approximately 70%
+  **S3 Bucket Keys**: Reduces KMS GenerateDataKey calls for S3 encryption operations
+  **SQS Data Key Reuse**: 60-minute cache period for message encryption
+  **Secrets Manager Caching**: 5-minute TTL in Lambda functions

 **Performance Impact**: These optimizations improve latency by 10-15ms for S3 operations and full workflows while reducing costs, with no throughput degradation.

## Pricing examples (monthly)
<a name="pricing-examples"></a>

### Example 1: 300 remediations per month
<a name="example-1-300-remediations-per-month"></a>
+ 10 accounts, 1 Region
+ 30 remediations per account/Region/month
+ 500 Security Hub findings processed per account/Region/month
+  **Web UI disabled** 
+  **Action Log disabled** 
+ Total cost \$114.70 per month


| Service | Assumptions | Monthly charges [USD] | 
| --- | --- | --- | 
|  AWS Systems Manager Automation  |  Steps: \$14 steps \$1 300 remediations \$1 \$10.002 = \$12.40 Duration: 10s \$1 300 remediations \$1 \$10.00003 = \$10.09  |  \$12.49  | 
|  AWS Security Hub  |  No billable services utilized  |  \$10  | 
|  Amazon CloudWatch Logs  |  \$10.50 per GB  |  < \$10.01  | 
|  AWS Lambda - Requests  |  300 remediations \$1 7 requests = 2,100 requests 5,000 findings \$1 1 request = 5,000 requests \$10.20 / 1,000,000 requests = \$10.0000002 per request  |  \$10.00142  | 
|  AWS Lambda - Duration  |  (512MB Memory) 4,000ms \$1 300 remediations \$1 \$10.0000000083 = \$10.00996 449ms \$1 5,000 findings \$1 \$10.0000000083 = \$1.0186  |  \$10.029  | 
|  AWS Step Functions  |  19 state transitions \$1 300 remediations = 5,700 \$10.025 \$1 (5,700/1,000) state transitions = \$10.14  |  \$10.14  | 
|  Amazon EventBridge rules  |  No charge for rules  |  \$10  | 
|  AWS Key Management Service  |  1 key \$1 10 accounts \$1 1 Region \$1 \$11 = \$110 (Encrypt/Decrypt API requests) (300 remediations \$1 2 requests) \$1 (5,000 findings \$1 4 requests) = 20,600 requests With KMS caching: 20,600 \$1 0.30 = 6,180 requests \$10.03 per 10,000 requests ⇒ \$10.03 \$1 (6,180 / 10,000) = \$10.02  |  \$110.02  | 
|  Amazon DynamoDB  |  \$12.00 \$1 1,000,000 read and writes = \$12.00 (Findings Table) 15MB \$1 10 accounts \$1 1 region = 150MB (History Table) 10MB \$1 10 accounts \$1 1 region = 100MB \$10.25 per GB-month \$1 0.25 GB = \$10.0625  |  \$12.0625  | 
|  Amazon SQS  |  \$10.40 \$1 1,000,000 requests = \$10.40  |  \$10.40  | 
|  Amazon SNS  |  \$10.50 \$1 (600 / 1,000,000 notifications) = \$10.0003  |  \$10.0003  | 
|  Amazon CloudWatch - Metrics  |  (Enhanced Metrics Disabled) \$10.30 \$1 7 custom metrics = \$12.10 \$10.01 \$1 (300 put metrics API calls / 1,000) = \$10.003  |  \$12.10  | 
|  Amazon CloudWatch - Dashboards  |  \$13.00 \$1 1 dashboard = \$13.00  |  \$13.00  | 
|  Amazon CloudWatch - Alarms  |  (Enhanced Metrics Disabled) \$10.10 \$1 4 alarms = \$10.40  |  \$10.40  | 
|  Amazon CloudWatch - X-Ray Traces  |  300 remediations \$1 7 requests = 2,100 Lambda invocations 5,000 findings \$1 1 request = 5,000 Lambda invocations \$10.000005 per trace \$1 7,100 traces = \$10.0355  |  \$10.0355  | 
|   **Total**   |  |   **\$114.70**   | 

### Example 2: 300 remediations per month (Web UI Enabled)
<a name="example-2-300-remediations-per-month"></a>
+ 10 accounts, 1 Region
+ 30 remediations per account/Region/month
+ 5,000 Security Hub findings processed per account/Region/month
+  **Web UI enabled** 
+  **Action Log disabled** 
+ Total cost \$136.35 per month


| Service | Assumptions | Monthly charges [USD] | 
| --- | --- | --- | 
|  AWS Systems Manager Automation  |  Steps: \$14 steps \$1 300 remediations \$1 \$10.002 = \$12.40 Duration: 10s \$1 300 remediations \$1 \$10.00003 = \$10.09  |  \$12.49  | 
|  AWS Security Hub  |  No billable services utilized  |  \$10  | 
|  Amazon CloudWatch Logs  |  \$10.50 per GB  |  < \$10.01  | 
|  AWS Lambda - Requests  |  300 remediations \$1 7 requests = 2,100 requests 5,000 findings \$1 1 request = 5,000 requests \$10.20 / 1,000,000 requests = \$10.0000002 per request  |  \$10.00142  | 
|  AWS Lambda - Duration  |  (512MB Memory) 4,000ms \$1 300 remediations \$1 \$10.0000000083 = \$10.00996 449ms \$1 5,000 findings \$1 \$10.0000000083 = \$1.0186  |  \$10.029  | 
|  AWS Step Functions  |  19 state transitions \$1 300 remediations = 5,700 \$10.025 \$1 (5,700/1,000) state transitions = \$10.14  |  \$10.14  | 
|  Amazon EventBridge rules  |  No charge for rules  |  \$10  | 
|  AWS Key Management Service  |  1 key \$1 10 accounts \$1 1 Region \$1 \$11 = \$110 (Encrypt/Decrypt API requests) (300 remediations \$1 2 requests) \$1 (5,000 findings \$1 4 requests) = 20,600 requests \$10.03 per 10,000 requests ⇒ \$10.03 \$1 (20,600 / 10,000) = \$10.06  |  \$110.06  | 
|  Amazon DynamoDB  |  \$12.00 \$1 1,000,000 read and writes = \$12.00 (Findings Table) 15MB \$1 10 accounts \$1 1 region = 150MB (History Table) 10MB \$1 10 accounts \$1 1 region = 100MB \$10.25 per GB-month \$1 0.25 GB = \$10.0625  |  \$12.0625  | 
|  Amazon SQS  |  \$10.40 \$1 1,000,000 requests = \$10.40  |  \$10.40  | 
|  Amazon SNS  |  \$10.50 \$1 (600 / 1,000,000 notifications) = \$10.0003  |  \$10.0003  | 
|  Amazon CloudWatch - Metrics  |  (Enhanced Metrics Disabled) \$10.30 \$1 7 custom metrics = \$12.10 \$10.01 \$1 (300 put metrics API calls / 1,000) = \$10.003  |  \$12.10  | 
|  Amazon CloudWatch - Dashboards  |  \$13.00 \$1 1 dashboard = \$13.00  |  \$13.00  | 
|  Amazon CloudWatch - Alarms  |  (Enhanced Metrics Disabled) \$10.10 \$1 4 alarms = \$10.40  |  \$10.40  | 
|  Amazon CloudWatch - X-Ray Traces  |  300 remediations \$1 7 requests = 2,100 Lambda invocations 5,000 findings \$1 1 request = 5,000 Lambda invocations \$10.000005 per trace \$1 7,100 traces = \$10.0355  |  \$10.0355  | 
|  Amazon Cognito  |  (Essentials Tier) 500 Monthly Active Users  |  \$10  | 
|  Amazon CloudFront  |  Regional Data Transfer Out to Origin (per GB) = \$10.020 Regional Data Transfer Out to Internet (per GB) = \$10.085 Request Pricing for All HTTP Methods (per 10,000) = \$10.0075  |  \$10.1125  | 
|  Amazon S3  |  (UI Hosting) \$10.023 per GB \$1 0.002 GB = \$10.000046 (History Export) \$10.023 per GB \$1 0.50 GB = \$10.0125 \$10.0004 per 1,000 GET requests  |  \$10.0125  | 
|  AWS WAF  |  1 Web ACL = \$15.00 per month 7 rules \$1 \$11.00 per rule = \$17.00  |  \$112  | 
|  Amazon API Gateway  |  \$13.50 per million REST API calls  |  \$13.50  | 
|   **Total**   |  |   **\$136.35**   | 

### Example 3: 3,000 remediations per month
<a name="example-3-3000-remediations-per-month"></a>
+ 100 accounts, 1 Region
+ 30 remediations per account/Region/month
+ 500 Security Hub findings processed per account/Region/month
+  **Web UI disabled** 
+  **Action Log disabled** 
+ Total cost \$1106.40 per month


| Service | Assumptions | Monthly charges [USD] | 
| --- | --- | --- | 
|  AWS Systems Manager Automation  |  Steps: \$14 steps \$1 3,000 remediations \$1 \$10.002 = \$124.00 Duration: 10s \$1 3,000 remediations \$1 \$10.00003 = \$10.90  |  \$124.90  | 
|  AWS Security Hub  |  No billable services utilized  |  \$10  | 
|  Amazon CloudWatch Logs  |  \$10.50 per GB  |  < \$10.01  | 
|  AWS Lambda - Requests  |  3,000 remediations \$1 7 requests = 2,100 requests 50,000 findings \$1 1 request = 50,000 requests \$10.20 / 1,000,000 requests = \$10.0000002 per request  |  \$10.01  | 
|  AWS Lambda - Duration  |  (512MB Memory) 4,000ms \$1 3,000 remediations \$1 \$10.0000000083 = \$10.0996 449ms \$1 50,000 findings \$1 \$10.0000000083 = \$10.186  |  \$10.29  | 
|  AWS Step Functions  |  19 state transitions \$1 3,000 remediations = 57,000 \$10.025 \$1 (57,000/1,000) state transitions = \$11.425  |  \$11.425  | 
|  Amazon EventBridge rules  |  No charge for rules  |  \$10  | 
|  AWS Key Management Service  |  1 key \$1 100 accounts \$1 1 Region \$1 \$11 = \$1100 (Encrypt/Decrypt API requests) (3,000 remediations \$1 2 requests) \$1 (50,000 findings \$1 4 requests) = 206,000 requests With KMS caching: 206,000 \$1 0.30 = 61,800 requests \$10.03 per 10,000 requests ⇒ \$10.03 \$1 (61,800 / 10,000) = \$10.185  |  \$1100.185  | 
|  Amazon DynamoDB  |  \$12.00 \$1 1,000,000 read and writes = \$12.00 (Findings Table) 15MB \$1 100 accounts \$1 1 region = 1,500MB (History Table) 10MB \$1 100 accounts \$1 1 region = 1,000MB \$10.25 per GB-month \$1 2.5 GB = \$10.625  |  \$12.625  | 
|  Amazon SQS  |  \$10.40 \$1 1,000,000 requests = \$10.40  |  \$10.40  | 
|  Amazon SNS  |  \$10.50 \$1 1,000,000 notifications = \$10.50  |  \$10.50  | 
|  Amazon CloudWatch - Metrics  |  (Enhanced Metrics Disabled) \$10.30 \$1 7 custom metrics = \$12.10 \$10.01 \$1 (3000 / 1,000) put metrics API calls = \$10.03  |  \$12.13  | 
|  Amazon CloudWatch - Dashboards  |  \$13.00 \$1 1 dashboard = \$13.00  |  \$13.00  | 
|  Amazon CloudWatch - Alarms  |  \$10.10 \$1 4 alarms = \$10.40  |  \$10.40  | 
|  Amazon CloudWatch - X-Ray Traces  |  3,000 remediations \$1 7 requests = 2,100 Lambda invocations 50,000 findings \$1 1 request = 50,000 Lambda invocations \$10.000005 per trace \$1 52,100 traces = \$10.2605  |  \$10.2605  | 
|   **Total**   |  |   **\$1106.40**   | 

### Example 4: 30,000 remediations per month
<a name="example-4-30000-remediations-per-months"></a>
+ 1,000 accounts, 10 Regions
+ 30 remediations per account/Region/month
+ 500 Security Hub findings processed per account/Region/month
+  **Web UI disabled** 
+  **Action Log disabled** 
+ Total cost \$17,360.00 per month


| Service | Assumptions | Monthly charges [USD] | 
| --- | --- | --- | 
|  AWS Systems Manager Automation  |  Steps: \$14 steps \$1 30,000 remediations \$1 \$10.002 = \$1240.00 Duration: 10s \$1 30,000 remediations \$1 \$10.00003 = \$19.00  |  \$1249.00  | 
|  AWS Security Hub  |  No billable services utilized  |  \$10  | 
|  Amazon CloudWatch Logs  |  \$10.50 per GB  |  < \$10.01  | 
|  AWS Lambda - Requests  |  30,000 remediations \$1 7 requests = 210,000 requests 5,000,000 findings \$1 1 request = 5,000,000 requests \$10.20 / 1,000,000 requests = \$10.0000002 per request  |  \$11.042  | 
|  AWS Lambda - Duration  |  (512MB Memory) 4,000ms \$1 30,000 remediations \$1 \$10.0000000083 = \$10.996 449ms \$1 5,000,000 findings \$1 \$10.0000000083 = \$118.63  |  \$119.63  | 
|  AWS Step Functions  |  19 state transitions \$1 30,000 remediations = 570,000 \$10.025 \$1 (570,000/1,000) state transitions = \$114.25  |  \$114.25  | 
|  Amazon EventBridge rules  |  No charge for rules  |  \$10  | 
|  AWS Key Management Service  |  (1 key) \$11 \$1 1,000 accounts \$1 10 Region = \$110,000 (Encrypt/Decrypt API requests) (30,000 remediations \$1 2 requests) \$1 (5,000,000 findings \$1 4 requests) = 20,060,000 requests With KMS caching: 20,060,000 \$1 0.30 = 6,018,000 requests \$10.03 per 10,000 requests ⇒ \$10.03 \$1 (6,018,000 / 10,000) = \$118.05  |  \$110,018.05  | 
|  Amazon DynamoDB  |  \$12.00 \$1 (10,000,000 read and writes / 1,000,000) = \$120.00 (Findings Table) 15MB \$1 1000 accounts \$1 10 region = 150GB (History Table) 10MB \$1 1000 accounts \$1 10 region = 100GB \$10.25 per GB-month \$1 250 GB = \$162.50  |  \$182.50  | 
|  Amazon SQS  |  \$10.40 \$1 (5,060,000 requests / 1,000,000 ) = \$12.024  |  \$12.024  | 
|  Amazon SNS  |  \$10.000005 \$1 1,000,000 notifications = \$10.50  |  \$10.50  | 
|  Amazon CloudWatch - Metrics  |  (Enhanced Metrics Disabled) \$10.30 \$1 7 custom metrics = \$12.10 \$10.01 \$1 (30,000 / 1,000) put metrics API calls = \$10.30  |  \$12.40  | 
|  Amazon CloudWatch - Dashboards  |  \$13.00 \$1 1 dashboard = \$13.00  |  \$13.00  | 
|  Amazon CloudWatch - Alarms  |  (Enhanced Metrics Disabled) \$10.10 \$1 4 alarms = \$10.40  |  \$10.40  | 
|  Amazon CloudWatch - X-Ray Traces  |  30,000 remediations \$1 7 requests = 210,000 Lambda invocations 5,000,000 findings \$1 1 request = 5,000,000 Lambda invocations \$10.000005 per trace \$1 5,210,000 traces = \$126.05  |  \$126.05  | 
|   **Total**   |  |   **\$17,360.00**   | 

### Example 5: 30,000 remediations per month (Web UI Enabled)
<a name="example-5-30000-remediations-per-months"></a>
+ 1,000 accounts, 10 Regions
+ 30 remediations per account/Region/month
+ 500 Security Hub findings processed per account/Region/month
+  **Web UI enabled** 
+  **Action Log disabled** 
+ Total cost \$17,380.10 per month


| Service | Assumptions | Monthly charges [USD] | 
| --- | --- | --- | 
|  AWS Systems Manager Automation  |  Steps: \$14 steps \$1 30,000 remediations \$1 \$10.002 = \$1240.00 Duration: 10s \$1 30,000 remediations \$1 \$10.00003 = \$19.00  |  \$1249.00  | 
|  AWS Security Hub  |  No billable services utilized  |  \$10  | 
|  Amazon CloudWatch Logs  |  \$10.50 per GB  |  < \$10.01  | 
|  AWS Lambda - Requests  |  30,000 remediations \$1 7 requests = 210,000 requests 5,000,000 findings \$1 1 request = 5,000,000 requests \$10.20 / 1,000,000 requests = \$10.0000002 per request  |  \$11.042  | 
|  AWS Lambda - Duration  |  (512MB Memory) 4,000ms \$1 30,000 remediations \$1 \$10.0000000083 = \$10.996 449ms \$1 5,000,000 findings \$1 \$10.0000000083 = \$118.63  |  \$119.63  | 
|  AWS Step Functions  |  19 state transitions \$1 30,000 remediations = 570,000 \$10.025 \$1 (570,000/1,000) state transitions = \$114.25  |  \$114.25  | 
|  Amazon EventBridge rules  |  No charge for rules  |  \$10  | 
|  AWS Key Management Service  |  (1 key) \$11 \$1 1,000 accounts \$1 10 Region = \$110,000 (Encrypt/Decrypt API requests) (30,000 remediations \$1 2 requests) \$1 (5,000,000 findings \$1 4 requests) = 20,060,000 requests With KMS caching: 20,060,000 \$1 0.30 = 6,018,000 requests \$10.03 per 10,000 requests ⇒ \$10.03 \$1 (6,018,000 / 10,000) = \$118.05  |  \$110,018.05  | 
|  Amazon DynamoDB  |  \$12.00 \$1 (10,000,000 read and writes / 1,000,000) = \$120.00 (Findings Table) 15MB \$1 1000 accounts \$1 10 region = 150GB (History Table) 10MB \$1 1000 accounts \$1 10 region = 100GB \$10.25 per GB-month \$1 250 GB = \$162.50  |  \$182.50  | 
|  Amazon SQS  |  \$10.40 \$1 (5,060,000 requests / 1,000,000 ) = \$12.024  |  \$12.024  | 
|  Amazon SNS  |  \$10.000005 \$1 1,000,000 notifications = \$10.50  |  \$10.50  | 
|  Amazon CloudWatch - Metrics  |  (Enhanced Metrics Disabled) \$10.30 \$1 7 custom metrics = \$12.10 \$10.01 \$1 (30,000 / 1,000) put metrics API calls = \$10.30  |  \$12.40  | 
|  Amazon CloudWatch - Dashboards  |  \$13.00 \$1 1 dashboard = \$13.00  |  \$13.00  | 
|  Amazon CloudWatch - Alarms  |  (Enhanced Metrics Disabled) \$10.10 \$1 4 alarms = \$10.40  |  \$10.40  | 
|  Amazon CloudWatch - X-Ray Traces  |  30,000 remediations \$1 7 requests = 210,000 Lambda invocations 5,000,000 findings \$1 1 request = 5,000,000 Lambda invocations \$10.000005 per trace \$1 5,210,000 traces = \$126.05  |  \$126.05  | 
|  Amazon Cognito  |  (Essentials Tier) 5,000 Monthly Active Users  |  \$10  | 
|  Amazon CloudFront  |  Regional Data Transfer Out to Origin (per GB) = \$10.020 Regional Data Transfer Out to Internet (per GB) = \$10.085 Request Pricing for All HTTP Methods (per 10,000) = \$10.0075  |  \$10.1125  | 
|  Amazon S3  |  (UI Hosting) \$10.023 per GB \$1 0.002 GB = \$10.000046 (History Export) \$10.023 per GB \$1 100 GB = \$12.30 \$10.0004 per 1,000 GET requests \$1 5,000 requests = \$12.00  |  \$14.30  | 
|  AWS WAF  |  1 Web ACL = \$15.00 per month 7 rules \$1 \$11.00 per rule = \$17.00  |  \$112  | 
|  Amazon API Gateway  |  \$13.50 per million REST API calls  |  \$13.50  | 
|   **Total**   |  |   **\$17,380.10**   | 

**Important**  
 **KMS Key Rotation Costs** AWS Key Management Service (KMS) automatically rotates customer managed keys once per year when rotation is enabled. Each rotation incurs a cost of \$11.00 per key per year. For example, with 1000 accounts in a single region, this results in an additional \$11000/year (1 rotation × 1000 keys × \$11.00).

## Additional cost for optional features
<a name="additional-cost-optional"></a>

This section identifies additional costs associated with optional features for this solution.

### Enhanced CloudWatch metrics
<a name="additional-cost-enhanced-metrics"></a>

If you select `yes` for the **EnableEnhancedCloudWatchMetrics** parameter when deploying the admin stack, the solution creates two custom metrics and one alarm for each control ID. The cost depends on the number of control IDs that you are remediating. In the following table, we assume that you are remediating all 96 different control IDs per month, to determine the upper bound of costs.


| Service | Assumptions 96 control IDs \$1 2 = 192 custom metrics | Monthly charges [USD] | 
| --- | --- | --- | 
|  Amazon CloudWatch - Metrics  |  \$10.30 \$1 192 custom metrics = \$157.60  |  \$157.60  | 
|  Amazon CloudWatch - Alarms  |  \$10.10 \$1 96 alarms = \$19.60  |  \$19.60  | 
|   **Total**   |  |   **\$167.20**   | 

### CloudTrail Action Log
<a name="additional-cost-action-log"></a>

In each member account that you enable the Action Log feature for, the solutions creates a CloudTrail trail to log all write management events. A Lambda function filters out events not related to the solution. This means that the cost is related to the total number of management events in your account, since events not related to the solution are still captured by the trail and processed by the Lambda function.

For the following table, we assume 150,000 management events per month in the account. The actual cost depends on the actual management event activity in your account.


| Service | Assumptions | Monthly charges [USD] | 
| --- | --- | --- | 
|  AWS CloudTrail  |  150,000 \$1 \$12.00/100,000 = \$13.00  |  \$13.00  | 
|  Lambda  |  150,000 \$1 0.2 \$1 0.125 = 3,750 GB-seconds 3,750 \$1 \$10.0000166667 = \$10.0625 compute time cost 0.15 \$1 \$10.20 = \$10.03 request cost \$10.0625 \$1 \$10.03 = \$10.0952 total Lambda cost  |  \$10.0925  | 
|   **Total**   |  |   **\$13.09 per member account**   | 

# Security
<a name="security"></a>

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the [AWS Cloud Security](http://aws.amazon.com/security/).

## API Gateway Security Policy
<a name="api-gateway-security-policy"></a>

If you choose to enable the solution’s Web User Interface, an API Gateway REST API is deployed alongside the Admin CloudFormation stack which serves as the backend for all operations in the Web UI. The REST API deployed by the solution uses the default TLS security policy for API Gateway, which is `TLS-1-0` for regional APIs.

However, after deploying the Admin CloudFormation stack you may choose to customize the solution’s REST API by adding a more restrictive TLS security policy. For example, you can choose the `TLS_1_2 security policy` to restrict for traffic using TLSv1.2 or TLSv1.3. You can find the solution’s REST API in the API Gateway console under the name **AutomatedSecurityResponseApi**.

In order to choose a security policy for the solution’s REST API, you must first configure a custom domain name. For more information, see [Custom domain name for public REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html).

For more information on adding a security policy to your REST API, see [Choose a security policy for your REST API custom domain in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html) in the API Gateway guide.

# IAM roles
<a name="iam-roles"></a>

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users in the AWS Cloud. This solution creates IAM roles that grant the solution’s automated functions access to perform remediation actions within a narrow scope set of permissions specific to each remediation.

The admin account’s Step Function is assigned to the SO0111-ASR-Orchestrator-Admin role. Only this role is allowed to assume the SO0111-Orchestrator-Member in each member account. The member role is allowed by each remediation role to pass it to the AWS Systems Manager service to run specific remediation runbooks. Remediation role names begin with SO0111, followed by a description matching the name of the remediation runbook. For example, SO0111-RemoveVPCDefaultSecurityGroupRules is the role for the ASR-RemoveVPCDefaultSecurityGroupRules remediation runbook.

## Supported AWS Regions
<a name="supported-aws-regions"></a>

**Important**  
Enabling optional features in the solution may reduce the list of regions supported for deployment. In other words, the list below only applies to the core components of the solution. For example, if you choose to enable the Web UI, you will not be able to deploy the solution in GovCloud regions since [CloudFront is not supported in GovCloud (US), as of November 2025](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-cloudfront.html).


| Region name | Region code | 
| --- | --- | 
|  US East (Ohio)  |  us-east-2  | 
|  US East (N. Virginia)  |  us-east-1  | 
|  US West (Northern California)  |  us-west-1  | 
|  US West (Oregon)  |  us-west-2  | 
|  Africa (Cape Town)  |  af-south-1  | 
|  Asia Pacific (Hong Kong)  |  ap-east-1  | 
|  Asia Pacific (Hyderabad)  |  ap-south-2  | 
|  Asia Pacific (Jakarta)  |  ap-southeast-3  | 
|  Asia Pacific (Melbourne)  |  ap-southeast-4  | 
|  Asia Pacific (Mumbai)  |  ap-south-1  | 
|  Asia Pacific (Osaka)  |  ap-northeast-3  | 
|  Asia Pacific (Seoul)  |  ap-northeast-2  | 
|  Asia Pacific (Singapore)  |  ap-southeast-1  | 
|  Asia Pacific (Sydney)  |  ap-southeast-2  | 
|  Asia Pacific (Tokyo)  |  ap-northeast-1  | 
|  Canada (Central)  |  ca-central-1  | 
|  Europe (Frankfurt)  |  eu-central-1  | 
|  Europe (Ireland)  |  eu-west-1  | 
|  Europe (London)  |  eu-west-2  | 
|  Europe (Milan)  |  eu-south-1  | 
|  Europe (Paris)  |  eu-west-3  | 
|  Europe (Spain)  |  eu-south-2  | 
|  Europe (Stockholm)  |  eu-north-1  | 
|  Europe (Zurich)  |  eu-central-2  | 
|  Middle East (Bahrain)  |  me-south-1  | 
|  Middle East (UAE)  |  me-central-1  | 
|  South America (Sao Paulo)  |  sa-east-1  | 
|  AWS GovCloud (US-East)  |  us-gov-east-1  | 
|  AWS GovCloud (US-West)  |  us-gov-west-1  | 
|  China (Beijing)  |  cn-north-1  | 
|  China (Ningxia)  |  cn-northwest-1  | 
|  Israel (Tel Aviv)  |  il-central-1  | 
|  Canada West (Calgary)  |  ca-west-1  | 
|  Mexico (Mexico City)  |  mx-central-1  | 
|  Asia Pacific (Thailand)  |  ap-southeast-7  | 
|  Asia Pacific (Malaysia)  |  ap-southeast-5  | 

**Note**  
Any new AWS regions not listed may be supported via local deployment but not one-click deployment.

# Quotas
<a name="quotas"></a>

Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.

## Quotas for AWS services in this solution
<a name="quotas-for-aws-services-in-this-solution"></a>

Make sure you have sufficient quota for each of the [services implemented in this solution](architecture-details.md#aws-services-in-this-solution). For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).

Use the following links to go to the page for that service. To view the Service Quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead.

## AWS CloudFormation quotas
<a name="aws-cloudformation-quotas"></a>

Your AWS account has AWS CloudFormation quotas that you should be aware of when [launching the stack](deployment.md#step-2) in this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, see [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation User Guide*.

## AWS CloudWatch quotas
<a name="aws-cloudwatch-quotas"></a>

Your AWS account has AWS CloudWatch quotas tied to CloudWatch Resource Policies which only allows 10 resource policies per region per account and this cannot be requested for a quota increase, see [AWS CloudWatch Logs Quotas](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html) in the *AWS CloudWatch User Guide*. Before your deployment please check your current usage to ensure you won’t cross this threshold when deploying the solution.

## AWS Organizations
<a name="aws-org-quotas"></a>

The solution’s Lambda functions make calls to the [AWS Organizations API](https://docs.aws.amazon.com/organizations/latest/APIReference/Welcome.html) in order to fetch the alias of the current account to include in messages published to the solution’s SNS topic. This enables human-readable account names to be visible in the solution’s notifications for debugging and tracking purposes.

AWS Organizations imposes limits on how often customers can invoke their API endpoints. If you find that the solution is exceeding the limits set for your account, you can disable the feature that fetches and displays the account alias.

To do this, **navigate to the Lambda function** named `SO0111-ASR-sendNotifications` located in the region and account where you deployed the Admin stack. Then, **locate the environment variable** named `DISABLE_ACCOUNT_ALIAS_LOOKUP` and change the value from "False" to **"True"**. The account alias field in the solution’s notifications will now be *"Unknown"* however this will not impact the functionality of the solution.

# AWS Security Hub deployment
<a name="aws-security-hub-deployment"></a>

AWS Security Hub deployment and configuration is a prerequisite for this solution. For more information about setting up AWS Security Hub CSPM, refer to [Setting up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the *AWS Security Hub User Guide.* This solution also supports [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub-v2.html) (non-CSPM version). For more information about setting up AWS Security Hub, refer to [Enabling Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html).

At minimum, you must have a working Security Hub configured in your primary account. You can deploy this solution in the same account (and AWS Region) as the Security Hub primary account. In each Security Hub primary and secondary account, you must also deploy the member template that allows AssumeRole permissions to the solution’s AWS Step Functions to run remediation runbooks in the account.

# Stack vs StackSets deployment
<a name="stack-vs-stacksets-deployment"></a>

A *stack set* lets you create stacks in AWS accounts across AWS Regions by using a single AWS CloudFormation template. Starting with version 1.4, this solution supports stack set deployment by splitting resources based on where and how they are deployed. Multi-account customers, particularly those using AWS Organizations, can benefit from using stack sets for deployment across many accounts. It reduces the effort needed to install and maintain the solution. For more information about StackSets, refer to [Using AWS CloudFormation StackSets](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/using-stacksets.html).