Security Hub Pricing overview

The new features of AWS Security Hub are available at no additional charge during the preview period. However, you will still incur costs for the integrated capabilities including Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Security Hub CSPM (Cloud Security Posture Management). AWS Security Hub CSPM identifies misconfigurations through automated, continuous security best practice checks against your AWS resources. As a core capability of AWS Security Hub, it provides essential security posture signals to surface and prioritize active risks in your cloud environment through automated analysis and contextual insights.

Security Hub CSPM is priced along three dimensions: the quantity of security checks, the quantity of finding ingestion events, and the quantity of rule evaluations processed per month. With AWS Organizations support, Security Hub CSPM allows you to connect multiple AWS accounts and consolidate findings across those accounts to enjoy tiered pricing for your entire organization’s security checks, finding ingestion events, and automation rule evaluations.

30-day Free Trial

You can try AWS Security Hub CSPM at no cost with a 30-day free trial. The trial includes the complete Security Hub CSPM feature set and security best practice checks. Every AWS account in each AWS Region that is enabled with Security Hub CSPM receives a free trial. During the free trial, you will get an estimate of your monthly bill if you were to continue to use Security Hub CSPM across the same accounts and Regions.

Start a free trial of AWS Security Hub
AWS Pricing Calculator

AWS Pricing Calculator

Calculate your AWS Security Hub CSPM costs in a single estimate.

Create your custom estimate now »

Pricing details

  • Security Checks

  • Prepackaged security standards are available for Security Hub CSPM, such as the CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5, and the Payment Card Industry Data Security Standard (PCI DSS). Conducting security checks against these standards can help evaluate the security posture of your AWS accounts and resources. These prepackaged standards are collections of controls that Security Hub CSPM continuously evaluates to identify if any accounts or resources deviate from the defined security best practices. The evaluation of a control against a single AWS resource is referred to as a security check, and it results in a finding that shows the result of the check. You are only charged once for a check when identical controls that are common across different standards are evaluated against the same resource.

    Security Hub CSPM security checks leverage configuration items recorded by AWS Config. AWS Config is required for these security checks, and configuration items are priced separately from Security Hub CSPM. Please see Config pricing for details. Security Hub CSPM customers are not charged separately for any AWS Config rules enabled by Security Hub CSPM. The AWS Config rules enabled by Security Hub CSPM are referred to as service-linked rules.

     

  • Finding Ingestion Events

  • Security Hub CSPM ingests findings from various AWS services and partner products. Finding ingestions include both new findings and updates to existing findings.

    You are not charged for finding ingestion events associated with Security Hub CSPM security checks. 

    Security Hub CSPM offers a perpetual free tier of 10,000 finding ingestion events per month.

  • Automation Rules

  • Security Hub CSPM automation rules allow you to automatically update or suppress findings in near-real time. You can automatically update various fields in findings, suppress findings, update finding severity and workflow status, add notes, and more. You can set criteria such as finding title or severity to make sure rules act only on relevant findings. This feature is priced by the quantity of automation rule evaluations per month.

Pricing examples

The following examples explore organizations of different sizes using Security Hub CSPM for security checks, ingesting findings, and automation rules evaluations. 

  • You have one AWS Region, US East (Ohio), and one account in your AWS deployment. In one month, Security Hub CSPM performs 250 security checks per account and aggregates 5,000 finding ingestions per account. You also have automation rules enabled, and you have 10 automation rules set up with 5 criteria each.

      Cost calculation Cost
    250 security checks 250 x 1 account = 250
    • 250 x $0.0010 per check (first 100,000 checks tier) = $0.25
    • x 1 Region
    		 $0.25

    5,000 finding ingestions

    5,000 x 1 account = 5,000

    • 5,000 x $0.00 per event (first 10,000 events free tier) = $0.00
    • x 1 Region
    		 $0.00
    10 automation rules with 5 criteria each

    (250 + 5,000) x 10 x 5 = 262,500

    • 262,500 x $0.00 per evaluation (first one million rule evaluations free tier) = $0.00
    • x 1 Region
    		 $0.00
    Total monthly cost   $0.25

  • You have two Regions, US East (Ohio) and Europe (Ireland), and 20 accounts in your AWS deployment. Security Hub CSPM performs 500 security checks per account (for a total of 10,000 per Region) and aggregates 10,000 finding ingestions per account (for a total of 200,000 per Region). You also have automation rules enabled, and you have 30 automation rules set up with 5 criteria each.

      Cost calculation Cost
    500 security checks

    500 checks x 20 accounts = 10,000

    • 10,000 x $0.0010 per check (first 100,000 checks tier) = $10.00
    • x 2 Regions
    		 $20.00

    10,000 finding ingestions

    10,000 x 20 accounts = 200,000

    • (first 10,000 events free tier)
    • 190,000 x $0.00003 per event = $5.70
    • x 2 Regions
    		 $11.40
    30 automation rules with 5 criteria each

    (500 + 10,000) x 20 accounts x 30 x 5 = 31,500,000

    • (first one million are on free tier)
    • 30,500,000 x $0.10 per one million rule evaluations = $3.05
    • x 2 Regions
    		 $6.10
    Total monthly cost   $37.50

  • You have three Regions, US East (Ohio), Europe (Ireland), and Asia Pacific (Sydney), and 200 accounts in your AWS deployment. Security Hub CSPM performs 1,000 security checks per account (for a total of 200,000 checks per Region) and aggregates 50,000 finding ingestions per account (for a total of 10,000,000 events per Region.) You also have automation rules enabled, with 50 automation rules set up with 5 criteria each.

      Cost calculation Cost
    1,000 security checks

    1,000 x 200 accounts = 200,000

    • 100,000 x $0.0010 per check (first 100,000 checks tier) = $100.00
    • 100,000 x $0.0008 per check (next 400,000 tier) = $80.00
    • x 3 Regions
    		 $540.00

    50,000 finding ingestions

    50,000 x 200 accounts = 10,000,000

    • 10,000 x $0.00 per event (first 10,000 events free tier) = $0 +
    • 9,990,000 x $0.00003 per event (over 10,000 events tier) = $299.70
    • x 3 Regions
    		 $899.10
    50 automation rules with 5 criteria each

    (200,000 security checks + 10,000,000 events) = 10,200,000 x 50 x 5 = 2,550,000,000

    • (first one million are on free tier)
    • 99,000,000 x $0.1 per one million = $9.90 +
    • 990,000,000 x $0.05 per one million = $49.50 +
    • 1,460,000,000 x $0.015 per one million = $21.90
    • x 3 Regions 
    		 $243.90
    Total monthly cost   $1,683.00

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote