Free Tier
Try Amazon Security Hub at no cost with a 30-day free trial that includes essentials plan capabilities. Every Amazon Web Services account in each Region enabled with Amazon Security Hub receives a free trial, even if you previously used Amazon Security Hub CSPM or Amazon Inspector free trials.
Add-on capabilities (threat analytics plan powered by Amazon GuardDuty and Amazon Lambda code scanning powered by Amazon Inspector) are not included in the Amazon Security Hub free trial, though individual service free trials still apply if you have not used them previously. During the free trial, you can monitor your usage through your Amazon Web Services billing console to estimate your ongoing costs based on actual usage during the free trial.
Overview
Amazon Security Hub prioritizes your critical security issues and unifies your security operations to help you respond at scale. It detects critical issues by correlating and enriching signals across multiple Amazon Web Services security services, for example, from Amazon GuardDuty for threat detection and Amazon Inspector for vulnerability management. This enables you to surface and prioritize risks in your cloud environment.
Amazon Security Hub transforms signals into actionable insights that reduce security risks, improve your team's productivity, and protect your cloud environment.
Pricing Model
Amazon Security Hub uses a streamlined pricing model with consolidated per-resource charges. When you enable Amazon Security Hub, you receive the default level of coverage through the essentials plan and benefit from consolidated pricing across multiple services including Amazon Inspector, Amazon GuardDuty, Amazon Security Hub CSPM, and other integrated security services.
Existing billing for these security services seamlessly transitions to Amazon Security Hub streamlined pricing with no action required. Individual services remain available with standard pricing when Amazon Security Hub is not enabled. Amazon Security Hub provides the essentials plan as the default level of coverage with add-on capabilities available to extend your security coverage.
Note that essentials plan charges are based on all monitored resources, regardless of which capabilities you use.
Essentials plan: Provides risk analytics, vulnerability management, security posture management, and security response management. Default coverage included with Amazon Security Hub.
Add-on capabilities to enhance your essentials plan:
- Threat analytics plan powered by Amazon GuardDuty: Detects potential security threats and unauthorized activities across your Amazon Web Services environment.
- Amazon Lambda code scanning powered by Amazon Inspector: Identifies security vulnerabilities in Amazon Lambda function code.
Plans and features
Amazon Security Hub essentials plan
|
Capability |
Powered by |
Standard pricing |
Amazon Security Hub essentials plan |
|
Pricing approach |
Amazon Security Hub |
Pay for each security feature separately |
Consolidated per-resource pricing (unlimited scans) |
|
Risk and exposure analytics |
Amazon Security Hub |
Not available |
Included |
|
Resource inventory |
Amazon Security Hub |
Not available |
Included |
|
Automation rules |
Amazon Security Hub CSPM |
Per one million rule evaluations |
Included |
|
Finding ingestion events |
Amazon Security Hub CSPM |
First 10,000 free; Over 10,000 per event |
Included |
|
Posture management (CSPM) |
Amazon Security Hub CSPM |
Per check |
Included |
|
EC2 vulnerability scanning |
Amazon Inspector |
Per instance |
Included |
|
EC2 CIS Benchmark assessment |
Amazon Inspector |
Per assessment per instance |
Included |
|
ECR vulnerability scanning |
Amazon Inspector |
Per image (on-push); Per rescan (retained images) |
Included |
|
Amazon Lambda vulnerability scanning |
Amazon Inspector |
Per Amazon Lambda function |
Included |
|
EC2/EBS malware protection |
Amazon GuardDuty |
Per GB |
Included |
Amazon Security Hub threat analytics plan
|
Capability |
Powered by |
Standard pricing |
Amazon Security Hub essentials plan |
|
CloudTrail threat analytics |
Amazon GuardDuty |
Per one million events |
Per one million events |
|
VPC & DNS logs threat analytics |
Amazon GuardDuty |
Per GB |
Per GB |
|
S3 threat analytics |
Amazon GuardDuty |
Per one million events |
Per GB |
|
EKS threat analytics |
Amazon GuardDuty |
Per one million events |
Per GB |
|
Lambda threat analytics |
Amazon GuardDuty |
Per GB |
Per GB |
Amazon Lambda code scanning
|
Capability |
Powered by |
Standard pricing |
Amazon Security Hub essentials plan |
|
Amazon Lambda code scanning |
Amazon Inspector |
Per Amazon Lambda function |
Per Amazon Lambda function |
Pricing Details
Amazon Security Hub essentials plan pricing
-
Pricing details - Beijing Region
Measurement
Pricing
Average number of resource units per month
¥ 28.70 per resource unit
Even though all supported resources are monitored for security risk, per-resource pricing only applies to four primary resource types: Amazon EC2 instances, Amazon ECR container images, Amazon Lambda functions, and Amazon IAM users and roles. All other monitored resources are included.
Pricing is anchored on Amazon EC2 instances as 1 resource unit, with Amazon Lambda functions at 1/12 of a resource unit (12 functions = 1 resource unit), Amazon ECR container images at 1/18 of a resource (18 images = 1 resource unit), and Amazon IAM users and roles at 1/125 of a resource (125 IAM resources = 1 resource unit).
-
Pricing details - Ningxia Region
Measurement
Pricing
Average number of resource units per month
¥ 28.70 per resource unit Even though all supported resources are monitored for security risk, per-resource pricing only applies to four primary resource types: Amazon EC2 instances, Amazon ECR container images, Amazon Lambda functions, and Amazon IAM users and roles. All other monitored resources are included.
Pricing is anchored on Amazon EC2 instances as 1 resource unit, with Amazon Lambda functions at 1/12 of a resource unit (12 functions = 1 resource unit), Amazon ECR container images at 1/18 of a resource (18 images = 1 resource unit), and Amazon IAM users and roles at 1/125 of a resource (125 IAM resources = 1 resource unit).
Threat analytics plan pricing
-
Pricing details - Beijing Region
Usage tier Pricing
Per one million events / month
¥ 35.30 per million events
Threat analytics on data events, network activity, and other logs
Analyzes Amazon VPC flow logs, Amazon Route 53 DNS query logs, Amazon S3 data events (1 million events = 2 GB), Amazon EKS audit logs (1 million events = 2.2 GB), and Amazon Lambda network logs.
Volume tier Pricing
First 1,000 GB / month
¥ 4.62 per GB
Next 9,000 GB / month
¥ 2.10 per GB
Over 10,000 GB / month
¥ 0.84 per GB
-
Pricing details - Ningxia Region
Usage tier Pricing
Per one million events / month
¥ 30.00 per million events Threat analytics on data events, network activity, and other logs
Analyzes Amazon VPC flow logs, Amazon Route 53 DNS query logs, Amazon S3 data events (1 million events = 2 GB), Amazon EKS audit logs (1 million events = 2.2 GB), and Amazon Lambda network logs.
Volume tier Pricing
First 1,000 GB / month
¥ 3.85 per GB
Next 9,000 GB / month
¥ 1.75 per GB
Over 10,000 GB / month
¥ 0.70 per GB
Amazon Lambda code scanning pricing
-
Pricing details - Beijing Region
Resource type Pricing
Average number of Amazon Lambda functions with code scanning enabled
¥ 3.15 per function
-
Pricing details - Ningxia Region
Resource type
Pricing
Average number of Amazon Lambda functions with code scanning enabled
¥ 3.15 per function
Pricing Examples
The following examples demonstrate how Amazon Security Hub pricing is calculated in the Amazon Web Services China (Beijing) Region, operated by Sinnet. All prices are in CNY (¥).
Example 1: Small to medium organization
You have one Region, Amazon Web Services China (Beijing) Region, operated by Sinnet (cn-north-1), and one account in your Amazon Web Services deployment. In one month, your Amazon Security Hub environment analyzes 2 million Amazon CloudTrail management events, 800 GB of data events, network activity, and other logs, and monitors 500 Amazon EC2 instances for security risks.
Amazon Security Hub essentials plan
Amazon EC2 instances
500 × 1 unit = 500 units
Amazon Security Hub essentials plan total
500 resource units × ¥28.70 per resource
¥14,350.00
Threat analytics plan
Amazon CloudTrail management events
2 million events at ¥35.30 per million events
¥70.60
Data events, network activity, and other logs
800 GB at ¥4.62 per GB (first 1,000 GB tier)
¥3,696.00
Threat analytics total
¥70.60 + ¥3,696.00
¥3,766.60
Total monthly cost¥18,116.60
Example 2: Large organization
You have a large enterprise Amazon Web Services deployment with a mix of different resource types. In one month, your Amazon Security Hub environment processes 100 million Amazon CloudTrail management events, 500 TB of security data from logs and events, and monitors a diverse set of resources: 1,000 Amazon EC2 instances, 1,800 container images, 1,200 Amazon Lambda functions, and 1,250 Amazon IAM users.
Amazon Security Hub essentials plan
Amazon EC2 instances
1,000 × 1 unit = 1,000 units
Amazon ECR container images
1,800 × 1/18 unit = 100 units
Amazon Lambda functions
1,200 × 1/12 unit = 100 units
Amazon IAM users and roles
1,250 × 1/125 unit = 10 units
Total resource units
1,000 + 100 + 100 + 10 = 1,210 units
Amazon Security Hub essentials plan total
1,210 resource units × ¥28.70 per resource
¥34,727.00
Threat analytics plan
Amazon CloudTrail management events
100 million events at ¥35.30 per million events
¥3,530.00
Data events, network activity, and other logs
For 500 TB (512,000 GB total):
First 1,000 GB at ¥4.62 per GB
¥4,620.00
Next 9,000 GB at ¥2.10 per GB
¥18,900.00
Remaining 502,000 GB at ¥0.84 per GB
¥421,680.00
Threat analytics total
¥3,530.00 + ¥4,620.00 + ¥18,900.00 + ¥421,680.00
¥448,730.00
Total monthly cost¥483,457.00