# 安全合规持续检测和自动修复费用 {% hint style="info" %} 实际使用会有一些偏差,以实际使用的区域费用为准,文档中都是以美国东部(俄亥俄州)的价格进行估算。 {% endhint %} ## #1 持续检测成本 核心组件
组件名称Free Tier单价(以美东1为例)
AWS Security Hub - Security Checks30-day Free Trial

First 100,000 checks/account/region/month costs $0.0010 per check

Next 400,000 checks/account/region/month costs $0.0008 per check

Over 500,000 checks/account/region/month costs $0.0005 per check

AWS Security Hub - Finding Ingestion EventsIngested findings associated with Security Hub security checks are free;

First 10,000 events/account/region/month is free. Finding ingestion events associated with Security Hub’s security checks.		Over 10,000 events/account/region/month costs $0.00003 per event
AWS Security Hub automation rulesFirst one million rule evaluations / month is free;Next 99 million rule evaluations / month $0.10 per one million evaluations;
Next 900 million rule evaluations / month $0.05 per one million evaluations;
Over 1,000 million rule evaluations / month $0.015 per one million evaluations
Amazon Config

Pay for only what you use, with no minimums or upfront commitments.

备注:Security Hub的规则不会额外计费,如果在security hub的免费试用期内,security hub创建出来的config规则也是免费的。


Continuous Recording:
account/region costs $0.003 per configuration item
Periodic Recording:
account/region costs $0.012 per configuration item

First 100,000 rule evaluations $0.001 per rule evaluation per region
Next 400,000 rule evaluations (100,001-500,000) $0.0008 per rule evaluation per region
500,001 and more rule evaluations $0.0005 per rule evaluation per region
## #2 自动修复成本 300 次修复/月约为 3.33 美元,3,000 次修复/月约为 26.83 美元,30,000 次修复/月约为 261.90 美元。 详细的计算方式可以参见文档: ## 案例1: 中小企业 假设你有一个地区,美国东部(俄亥俄州),在你的AWS部署中有一个账户。AWS Security Hub对每个账户/地区/月进行250次安全检查。Security Hub还对每个账户/地区/月的5,000个发现摄入量进行汇总。 使用Amazon EventBridge转发AWS Security Hub的安全检查,都是由AWS Security Hub发布的,则都是免费的。 Amazon EventBridge事件触发对象使用AWS Lamdba实现告警通知,自动修复等,免费套餐可以覆盖住使用量。 或者使用Amazon Systems Manager的Automation执行自动修复,每个账户每月可以享受 100,000 个步骤的免费套餐。 | 成本核算 | 总成本(每月) | | ------------------------------------------------------------------ | ------- | | 250 安全检查 | | | 250 x 1 region x $0.0010 per check (first 100,000 checks tier) | $0.25 | | 5,000 findings汇总分析 | | | 5,000 x 1 region x $0.00 per event (first 10,000 events free tier) | $0 | | 使用AWS Lamdba做自动修复,免费套餐可以覆盖住使用量 | $0 | | Amazon EventBridge | $0 | | Amazon Systems Manager | $0 | | Total Cost per month | $0.25 | ## 案例2: 大型企业 假设你有两个地区,美东(俄亥俄)和欧洲(爱尔兰),你的AWS部署中有20个账户。AWS Security Hub对每个账户/地区/月进行500次安全检查。Security Hub还对每个账户/地区/月的10,000个发现摄入量进行汇总。 使用AWS Config 进行额外自定义的安全检查,在各种资源类型中总共记录了1000个配置项;在账户中进行了5000次AWS配置规则评估,添加5个规则集,每个规则集含10个AWS配置规则,每个AWS配置规则有30个规则评估(也就是说,5\*10\*30=1500个一致性评估)。 使用Amazon EventBridge转发AWS Security Hub的安全检查,都是由AWS Security Hub发布的,则都是免费的。 Amazon EventBridge事件触发对象使用AWS Lamdba实现告警通知,自动修复等,假设告警通知,自动修复等等function添加了30个,每个function使用128MB 内存,x86处理器,平均function执行时间120 ms,一个月所有function累计执行了300万次。 或者使用Amazon Systems Manager的Automation执行自动修复,每个账户每月执行了101,000个步骤,运行的总时间为100,000秒。 | 成本核算 | 总成本(每月) | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | 500 安全检查 500 x 2 region x $0.0010 per check (first 100,000 checks tier) x 20 accounts | $20.00 | | 10,000 finding汇总分析 5,000 x 2 region x $0.00 per event (first 10,000 events free tier) x 20 accounts | $0 | |

10,000个配置项 1000 \* $0.003 = $3

AWS Config规则 First 100,000 evaluations at $0.001 each = 5000 \* $0.001 = $5

Cost of conformance packs规则集 First 100,000 conformance pack evaluations at $0.001 each = 1500 \* 0.001 =$1.5

| $9.5 | |

Monthly compute charges Total compute (seconds) = 3 million \* 120ms = 360,000 seconds

Total compute (GB-s) = 360,000 \* 128MB/1024 MB = 45,000 GB-s 使用量在免费范围内,Monthly compute charges = $0

Monthly request charges 3 million requests – 1 million free tier requests = 2 million monthly billable requests

Monthly request charges = 2M \* $0.2/M = $0.40

| $0.40 | | Amazon EventBridge | $0 | |

AWS Systems Manager Automation Step count:

Total steps (101,000)– Free tier (100,000) = billable basic steps (1,000) 1,000 basic steps \* $0.002/basic step*20 accounts = $40

Step duration: (100,000 seconds aws:execute Script duration – 5,000 seconds Free tier)* 0.00003/second = $2.85 Total monthly charges = $40 + $2.85= $42.85

| $42.85 | | Total Cost per month | $72.75 | ## 案例3: 超大型企业 假设你有三个region,美东(俄亥俄州)、欧洲(爱尔兰)和亚太地区(悉尼),你的AWS部署中有200个账户。AWS Security Hub对每个账户/地区/月执行1,000次安全检查。Security Hub还对每个账户/地区/月的50,000个发现摄入量进行汇总。 使用AWS Config 进行额外自定义的安全检查,在各种资源类型中总共记录了10,000个配置项;在账户中进行了50,000次AWS配置规则评估,添加5个规则集,每个规则集含10个AWS配置规则,每个AWS配置规则有300个规则评估(也就是说,5*10*300=15000个一致性评估)。 Amazon EventBridge事件触发对象使用AWS Lamdba实现告警通知,自动修复等,假设告警通知,自动修复等等function添加了1000个,每个function使用512MB 内存,x86处理器,平均function执行时间200 ms,一个月所有function累计执行了3000万次。 或者使用Amazon Systems Manager的Automation执行自动修复,每个账户每月执行了120,000个步骤,运行的总时间为1,000,000秒。 | 成本核算 | 总成本(每月) | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | 每个region 1,000 安全检查 1,000 x 3 region x $0.0010 per check (first 100,000 checks tier) x 200 accounts | $600.00 | | 每个region 10,000 finding汇总分析 10,000 x 3 region x $0.00 per event (first 10,000 events free tier) x 200 accounts | $0 | | 每个region 40,000 finding汇总分析 40,000 x 3 region x $0.00003 per event (over 10,000 events free tier) x 200 accounts | $720 | |

10,000个配置项 10,000 \* $0.003 = $30 AWS Config规则

First 100,000 evaluations at $0.001 each = 50,000 \* $0.001 = $50

Cost of conformance packs规则集 First 100,000 conformance pack evaluations at $0.001 each = 15,000 \* 0.001 =$15

| $95 | |

Monthly compute charges Total compute (seconds) = 30 million \* 200ms = 6,000,000 seconds

Total compute (GB-s) = 6,000,000 \* 512MB/1024 MB = 3,000,000 GB-s

Total compute – Free tier compute = monthly billable compute GB- s 3,000,000 GB-s – 400,000 free tier GB-s = 2,600,000 GB-s

Monthly compute charges = 2,600,000 \* $0.0000166667 = $433.316

Monthly request charges 30 million requests – 1 million free tier requests = 29 million monthly billable requests Monthly request charges = 29M \* $0.2/M = $5.8

| $439.116 | | Amazon EventBridge | $0 | | AWS Systems Manager Automation Step count: Total steps (101,000)– Free tier (100,000) = billable basic steps (1,000) 1,000 basic steps \* $0.002/basic step\*200 accounts = $400 Step duration: (1,000,000 seconds aws:executeScript duration – 5,000 seconds Free tier)\* 0.00003/second = $29.85 Total monthly charges = $400 + $29.85= $429.85 | $429.85 | | Total Cost per month | $2,283.966 |