AWSAWS Security HubSecurity & Identity

`aws_securityhub_account` cost estimation

Centralized security posture management, billed per security check and per finding ingested. 100K checks/month is ~$100, with tiers lowering the rate at scale.

An aws_securityhub_account enables AWS Security Hub, which runs automated security/compliance checks against your resources and aggregates findings from GuardDuty, Inspector, Macie, and partner tools. Cost is per security check (~$0.0010 per check, with volume tiers that drop the rate sharply at scale) plus per finding ingested (the first large allotment is free). 100K checks/month is ~$100.

The check volume is the cost driver, and it scales with the number of resources and the compliance standards you enable (CIS, AWS Foundational, PCI DSS, etc.). Each enabled standard runs its controls against every applicable resource, so turning on multiple standards across a large multi-account estate multiplies check volume.

The levers: enable the compliance standards you actually report against rather than all of them, disable individual controls that don't apply to your environment, and rely on the volume tiers (the per-check rate falls steeply past the first 100K), which make Security Hub relatively cheap at large scale once the tiers kick in.

c3x prices Security Hub from monthly check volume as usage, so projected cost can be modelled.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_securityhub_account" "main" {
  enable_default_standards = true
}

resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"
  depends_on    = [aws_securityhub_account.main]
}

Pricing dimensions

What you actually pay for when you provision aws_securityhub_account.

Dimension	Unit	What's being charged
Security checks	per check	Automated control checks against resources, with volume tiers lowering the per-check rate sharply at scale. $0.0010/check (first tier) → 100K checks = $100/month
Finding ingestion	per finding	Findings ingested from integrated sources, with a large free allotment. Usage-based above it.

Sample C3X output

100K security checks in a month (first tier):

aws_securityhub_account.main
└─ Security checks   100,000 checks   $100.00
                     Monthly          $100.00

Optimization tips

Common ways to reduce aws_securityhub_account cost without changing the workload.

Enable only the standards you report against

Proportional to standards not enabled

Each compliance standard (CIS, AWS Foundational, PCI DSS) runs its controls against every applicable resource, multiplying check volume. Enable the standards you actually need for compliance, not all of them across every account.

Disable inapplicable controls

Per control disabled

Within an enabled standard, disable individual controls that don't apply to your environment (e.g. controls for services you don't use). Fewer applicable controls means fewer billed checks.

Lean on the volume tiers at scale

Built-in at high volume

The per-check rate falls steeply past the first 100K checks/month, so Security Hub gets relatively cheap per-check at large scale. Budget with the tiered rate in mind rather than extrapolating the first-tier price.

Consolidate findings rather than duplicating tools

Avoids duplicate tooling

Security Hub aggregates findings from GuardDuty, Inspector, Macie, etc. Use it as the aggregation layer rather than paying separate tools to do the same correlation.

FAQ

How is AWS Security Hub billed?

Per security check (~$0.0010, with volume tiers dropping the rate sharply past 100K) plus per finding ingested (large free allotment). 100K checks/month is ~$100. Check volume scales with resource count and the compliance standards you enable.

What drives Security Hub cost?

The number of checks, which is resources × enabled-standard controls. Turning on multiple compliance standards across a large multi-account estate multiplies check volume. Enable only needed standards and disable inapplicable controls.

How does c3x estimate the cost?

Security Hub is usage-driven, so c3x models it from monthly check volume in c3x-usage.yml. There's no instance to price; the estimate reflects projected check and finding volume.

Related resources

AWS

aws_guardduty_detector

A finding source Security Hub aggregates

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_securityhub_account.

Get Started Star on GitHub

← Browse all AWS resources