Cost
You are responsible for the cost of the AWS services used to run this solution. As of this revision, the cost for running this solution with the default settings in the US East (N. Virginia) AWS Region is approximately $21.14 for 300 remediations/month, $132.53 for 3,000 remediations/month, and $1270.60 for 30,000 remediations/month. Prices are subject to change. For full details, refer to the pricing page for each AWS service used in this solution.
Note
Many AWS Services include a Free Tier – a baseline amount of the service that customers can use at no charge. Actual costs may be more or less than the pricing examples provided.
We recommend creating a budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this solution.
Sample cost table
The total cost to run this solution depends on the following factors:
-
The number of AWS Security Hub member accounts
-
The number of active automatically-invoked remediations
-
The frequency of remediation
This solution uses the following AWS components, which incur a cost based on your configuration. Pricing examples are provided for small, medium, and large organizations.
| Service | Free Tier | Pricing [USD] |
|---|---|---|
|
AWS Systems Manager Automation - Step Count |
100,000 steps per account per month | Beyond the free tier, each basic step is charged at $0.002 per step. For multi-account automations, all steps including those run in any child accounts are counted only in the originating account. |
|
AWS Systems Manager Automation - Step Duration |
5,000 seconds per month | Beyond the free tier, each aws:executeScript action step is charged at $0.00003 for every second after a free tier of 5,000 seconds per month. |
|
AWS Systems Manager Automation - Storage |
No free tier | $0.046 per GB per month |
|
AWS Systems Manager Automation - Data Transfer |
No free tier | $0.900 per GB transferred (for cross-account or out-of-Region) |
|
AWS Security Hub - Security Checks |
No free tier |
First 100,000 checks/account/Region/month costs $0.0010 per check Next 400,000 checks/account/Region/month costs $0.0008 per check Over 500,000 checks/account/Region/month costs $0.0005 per check |
|
AWS Security Hub - Finding Ingestion Events |
First 10,000 events/account/Region/month is free. Finding ingestion events associated with Security Hub's security checks. | Over 10,000 events/account/Region/month costs $0.00003 per event |
|
Amazon CloudWatch - Metrics |
Basic Monitoring Metrics (at 5-minute frequency) 10 Detailed Monitoring Metrics (at 1-minute frequency) 1 Million API requests (not applicable to GetMetricData and GetMetricWidgetImage) |
First 10,000 metrics costs $0.30 metric/month Next 240,000 metrics costs $0.10 metric/month Next 750,000 metrics costs $0.05 metric/month Over 1,000,000 metrics costs $0.02 metric/month API calls cost $0.01 per 1,000 requests |
|
Amazon CloudWatch - Dashboard |
3 Dashboards for up to 50 metrics per month | $3.00 per dashboard per month |
|
Amazon CloudWatch - Alarms |
10 Alarm metrics (not applicable to high-resolution alarms) |
Standard Resolution (60 sec) costs $0.10 per alarmmetric High Resolution (10 sec) costs $0.30 per alarm metric Standard Resolution Anomaly Detection costs $0.30 per alarm High Resolution Anomaly Detection costs $0.90 per alarm Composite costs $0.50 per alarm |
|
Amazon CloudWatch - Logs Collection |
5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries) | $0.50 per GB |
|
Amazon CloudWatch - Logs Storage |
5GB Data (ingestion, archive storage, and data scanned by Logs Insights queries) | $0.005 per GB of data scanned |
|
Amazon CloudWatch - Events |
All events except custom events are included | $1.00 per million events for custom events $1.00 per million events for cross-account events |
|
AWS Lambda - Requests |
1M free requests per month | $0.20 per 1M requests |
|
AWS Lambda - Duration |
400,000 GB-seconds of compute time per month | $0.0000166667 for every GB-second. The price for Duration depends on the amount of memory you allocate to your function. You can allocate any amount of memory to your function between 128MB and 10,240MB, in 1MB increments. |
|
AWS Step Functions - State Transitions |
4,000 free state transitions per month | $0.025 per 1,000 state transitions thereafter |
|
Amazon EventBridge |
All state change events published by AWS services are free | Custom events cost $1.00/million custom events published Third-party (SaaS) events cost $1.00/million events published Cross-account events cost $1.00/million cross-account events sent |
|
Amazon SNS |
First 1 million Amazon SNS requests per month are free | $0.50 per 1 million requests thereafter |
|
Amazon SQS |
First 1 million Amazon SQS requests per month are free | $0.40 per 1 million to 100 billion requests thereafter |
|
Amazon DynamoDB |
First 25GB of storage is free | $2.00 per 1 million consistent reads and writes thereafter |
Pricing examples (monthly)
Example 1: 300 remediations per month
-
10 accounts, 1 Region
-
30 remediations per account/Region/month
-
Total cost $21.14 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
| AWS Systems Manager Automation |
Steps: ~4 steps * 300 remediations * $0.002 = $2.40 Duration: 10s * 300 remediations * $0.00003 = $0.09 |
$2.49 |
| AWS Security Hub | No billable services utilized | $0 |
| Amazon CloudWatch Logs |
300 remediations * $0.000002 = $0.0006 $0.0006 * 0.03 = $0.000018 |
< $0.01 |
| AWS Lambda - Requests |
300 remediations * 6 requests = 1,800 requests $0.20 * 1,000,000 requests = $0.20 |
$0.20 |
| AWS Lambda - Duration | 256M: 1.875 GB sec * 300 remediations * $0.0000167 = $0.009375 | < $0.01 |
| AWS Step Functions |
15 state transitions * 300 remediations = 4,500 $0.025 * (4,500/1,000) state transitions = $0.1125 |
< $0.12 |
| Amazon EventBridge rules | No charge for rules | $0 |
| AWS Key Management Service | 1 key * 10 accounts * 1 Region * $1 = $10 | $10.00 |
| Amazon DynamoDB | $2.00 * 1,000,000 read and writes = $2.00 | $2.00 |
| Amazon SQS | $0.40 * 1,000,000 requests = $0.40 | $0.40 |
| Amazon SNS | $0.50 * 1,000,000 notifications = $0.50 | $0.50 |
| Amazon CloudWatch - Metrics |
$0.30 * 7 custom metrics = $2.10 $0.01 * (300 * 3 / 1,000) put metrics API calls = $0.01 |
$2.11 |
| Amazon CloudWatch - Dashboards | $3.00 * 1 dashboard = $3.00 | $3.00 |
| Amazon CloudWatch – Alarms | $0.10 * 3 alarms = $0.30 | $0.30 |
| Total | $21.14 |
Example 2: 3,000 remediations per month
-
100 accounts, 1 Region
-
30 remediations per account/Region/month
-
Total cost $134.71 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
| AWS Systems Manager Automation |
Steps: ~4 steps * 3,000 remediations * $0.002 = $24.00 Duration: 10s * 3,000 remediations * $0.00003 = $0.90 |
$24.90 |
| AWS Security Hub | No billable services utilized | $0 |
| Amazon CloudWatch Logs |
3,000 remediations * $0.000002 = $0.006 $0.006 * 0.03 = $0.00018 |
< $0.01 |
| AWS Lambda - Requests |
3,000 remediations * 6 requests = 18,000 requests $0.20 * 1,000,000 requests = $0.20 |
$0.20 |
| AWS Lambda - Duration | 256M: 1.875 GB sec * 3,000 remediations * $0.000167 = $0.09375 | $0.09 |
| AWS Step Functions |
15 state transitions * 3,000 remediations = 45,000 $0.025 * (45,000/1,000) state transitions = $1.125 |
$1.13 |
| Amazon EventBridge rules | No charge for rules | $0 |
| AWS Key Management Service | 1 key * 100 accounts * 1 Region * $1 = $100 | $100 |
| Amazon DynamoDB | $2.00 * 1,000,000 read and writes = $2.00 | $2.00 |
| Amazon SQS | $0.40 * 1,000,000 requests = $0.40 | $0.40 |
| Amazon SNS | $0.50 * 1,000,000 notifications = $0.50 | $0.50 |
| Amazon CloudWatch - Metrics |
$0.30 * 7 custom metrics = $2.10 $0.01 * (3000 * 3 / 1,000) put metrics API calls = $0.09 |
$2.19 |
| Amazon CloudWatch - Dashboards | $3.00 * 1 dashboard = $3.00 | $3.00 |
| Amazon CloudWatch – Alarms | $0.10 * 3 alarms = $0.30 | $0.30 |
| Total | $134.71 |
Example 3: 30,000 remediations per months
-
1000 accounts, 1 Region
-
30 remediations per account/Region/month
-
Total cost $1270.60 per month
| Service | Assumptions | Monthly charges [USD] |
|---|---|---|
| AWS Systems Manager Automation |
Steps: ~4 steps * 30,000 remediations * $0.002 = $240.00 Duration: 10s * 30,000 remediations * $0.00003 = $9.00 |
$249.00 |
| AWS Security Hub | No billable services utilized | $0 |
| Amazon CloudWatch Logs |
30,000 remediations * $0.000002 = $0.06 $0.06 * 0.03 = $0.0018 |
< $0.01 |
| AWS Lambda - Requests |
30,000 remediations * 6 requests = 180,000 requests $0.20 * 1,000,000 requests = $0.20 |
$0.20 |
| AWS Lambda - Duration | 256M: 1.875 GB sec * 30,000 remediations * $0.000167 = $0.9375 | $0.94 |
| AWS Step Functions |
15 state transitions * 30,000 remediations = 450,000 $0.025 * (450,000/1,000) state transitions = $11.25 |
$11.25 |
| Amazon EventBridge rules | No charge for rules | $0 |
| AWS Key Management Service | 1 key * 1000 accounts * 1 Region * $1 = $1000 | $1000 |
| Amazon DynamoDB | $0.000002 * 1,000,000 read and writes = $2.00 | $2.00 |
| Amazon SQS | $0.000004 * 1,000,000 requests = $0.40 | $0.40 |
| Amazon SNS | $0.000005 * 1,000,000 notifications = $0.50 | $0.50 |
| Amazon CloudWatch - Metrics |
$0.30 * 7 custom metrics = $2.10 $0.01 * (30,000 * 3 / 1,000) put metrics API calls = $0.90 |
$3.00 |
| Amazon CloudWatch - Dashboards | $3.00 * 1 dashboard = $3.00 | $3.00 |
| Amazon CloudWatch – Alarms | $0.10 * 3 alarms = $0.30 | $0.30 |
| Total | $1270.60 |
