安全合规持续检测和自动修复费用
实际使用会有一些偏差,以实际使用的区域费用为准,文档中都是以美国东部(俄亥俄州)的价格进行估算。
#1 持续检测成本
核心组件
30-day Free Trial
First 100,000 checks/account/region/month costs $0.0010 per check
Next 400,000 checks/account/region/month costs $0.0008 per check
Over 500,000 checks/account/region/month costs $0.0005 per check
Ingested findings associated with Security Hub security checks are free; First 10,000 events/account/region/month is free. Finding ingestion events associated with Security Hub’s security checks.
Over 10,000 events/account/region/month costs $0.00003 per event
First one million rule evaluations / month is free;
Next 99 million rule evaluations / month $0.10 per one million evaluations; Next 900 million rule evaluations / month $0.05 per one million evaluations; Over 1,000 million rule evaluations / month $0.015 per one million evaluations
Pay for only what you use, with no minimums or upfront commitments.
备注:Security Hub的规则不会额外计费,如果在security hub的免费试用期内,security hub创建出来的config规则也是免费的。
Continuous Recording: account/region costs $0.003 per configuration item Periodic Recording: account/region costs $0.012 per configuration item First 100,000 rule evaluations $0.001 per rule evaluation per region Next 400,000 rule evaluations (100,001-500,000) $0.0008 per rule evaluation per region 500,001 and more rule evaluations $0.0005 per rule evaluation per region
#2 自动修复成本
300 次修复/月约为 3.33 美元,3,000 次修复/月约为 26.83 美元,30,000 次修复/月约为 261.90 美元。
详细的计算方式可以参见文档:
https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/cost.html
案例1: 中小企业
假设你有一个地区,美国东部(俄亥俄州),在你的AWS部署中有一个账户。AWS Security Hub对每个账户/地区/月进行250次安全检查。Security Hub还对每个账户/地区/月的5,000个发现摄入量进行汇总。
使用Amazon EventBridge转发AWS Security Hub的安全检查,都是由AWS Security Hub发布的,则都是免费的。
Amazon EventBridge事件触发对象使用AWS Lamdba实现告警通知,自动修复等,免费套餐可以覆盖住使用量。
或者使用Amazon Systems Manager的Automation执行自动修复,每个账户每月可以享受 100,000 个步骤的免费套餐。
成本核算
总成本(每月)
250 安全检查
250 x 1 region x $0.0010 per check (first 100,000 checks tier)
$0.25
5,000 findings汇总分析
5,000 x 1 region x $0.00 per event (first 10,000 events free tier)
$0
使用AWS Lamdba做自动修复,免费套餐可以覆盖住使用量
$0
Amazon EventBridge
$0
Amazon Systems Manager
$0
Total Cost per month
$0.25
案例2: 大型企业
假设你有两个地区,美东(俄亥俄)和欧洲(爱尔兰),你的AWS部署中有20个账户。AWS Security Hub对每个账户/地区/月进行500次安全检查。Security Hub还对每个账户/地区/月的10,000个发现摄入量进行汇总。
使用AWS Config 进行额外自定义的安全检查,在各种资源类型中总共记录了1000个配置项;在账户中进行了5000次AWS配置规则评估,添加5个规则集,每个规则集含10个AWS配置规则,每个AWS配置规则有30个规则评估(也就是说,5*10*30=1500个一致性评估)。
使用Amazon EventBridge转发AWS Security Hub的安全检查,都是由AWS Security Hub发布的,则都是免费的。
Amazon EventBridge事件触发对象使用AWS Lamdba实现告警通知,自动修复等,假设告警通知,自动修复等等function添加了30个,每个function使用128MB 内存,x86处理器,平均function执行时间120 ms,一个月所有function累计执行了300万次。
或者使用Amazon Systems Manager的Automation执行自动修复,每个账户每月执行了101,000个步骤,运行的总时间为100,000秒。
成本核算
总成本(每月)
500 安全检查 500 x 2 region x $0.0010 per check (first 100,000 checks tier) x 20 accounts
$20.00
10,000 finding汇总分析 5,000 x 2 region x $0.00 per event (first 10,000 events free tier) x 20 accounts
$0
10,000个配置项 1000 * $0.003 = $3
AWS Config规则 First 100,000 evaluations at $0.001 each = 5000 * $0.001 = $5
Cost of conformance packs规则集 First 100,000 conformance pack evaluations at $0.001 each = 1500 * 0.001 =$1.5
$9.5
Monthly compute charges Total compute (seconds) = 3 million * 120ms = 360,000 seconds
Total compute (GB-s) = 360,000 * 128MB/1024 MB = 45,000 GB-s 使用量在免费范围内,Monthly compute charges = $0
Monthly request charges 3 million requests – 1 million free tier requests = 2 million monthly billable requests
Monthly request charges = 2M * $0.2/M = $0.40
$0.40
Amazon EventBridge
$0
AWS Systems Manager Automation Step count:
Total steps (101,000)– Free tier (100,000) = billable basic steps (1,000) 1,000 basic steps * $0.002/basic step*20 accounts = $40
Step duration: (100,000 seconds aws:execute Script duration – 5,000 seconds Free tier)* 0.00003/second = $2.85 Total monthly charges = $40 + $2.85= $42.85
$42.85
Total Cost per month
$72.75
案例3: 超大型企业
假设你有三个region,美东(俄亥俄州)、欧洲(爱尔兰)和亚太地区(悉尼),你的AWS部署中有200个账户。AWS Security Hub对每个账户/地区/月执行1,000次安全检查。Security Hub还对每个账户/地区/月的50,000个发现摄入量进行汇总。
使用AWS Config 进行额外自定义的安全检查,在各种资源类型中总共记录了10,000个配置项;在账户中进行了50,000次AWS配置规则评估,添加5个规则集,每个规则集含10个AWS配置规则,每个AWS配置规则有300个规则评估(也就是说,510300=15000个一致性评估)。
Amazon EventBridge事件触发对象使用AWS Lamdba实现告警通知,自动修复等,假设告警通知,自动修复等等function添加了1000个,每个function使用512MB 内存,x86处理器,平均function执行时间200 ms,一个月所有function累计执行了3000万次。
或者使用Amazon Systems Manager的Automation执行自动修复,每个账户每月执行了120,000个步骤,运行的总时间为1,000,000秒。
成本核算
总成本(每月)
每个region 1,000 安全检查 1,000 x 3 region x $0.0010 per check (first 100,000 checks tier) x 200 accounts
$600.00
每个region 10,000 finding汇总分析 10,000 x 3 region x $0.00 per event (first 10,000 events free tier) x 200 accounts
$0
每个region 40,000 finding汇总分析 40,000 x 3 region x $0.00003 per event (over 10,000 events free tier) x 200 accounts
$720
10,000个配置项 10,000 * $0.003 = $30 AWS Config规则
First 100,000 evaluations at $0.001 each = 50,000 * $0.001 = $50
Cost of conformance packs规则集 First 100,000 conformance pack evaluations at $0.001 each = 15,000 * 0.001 =$15
$95
Monthly compute charges Total compute (seconds) = 30 million * 200ms = 6,000,000 seconds
Total compute (GB-s) = 6,000,000 * 512MB/1024 MB = 3,000,000 GB-s
Total compute – Free tier compute = monthly billable compute GB- s 3,000,000 GB-s – 400,000 free tier GB-s = 2,600,000 GB-s
Monthly compute charges = 2,600,000 * $0.0000166667 = $433.316
Monthly request charges 30 million requests – 1 million free tier requests = 29 million monthly billable requests Monthly request charges = 29M * $0.2/M = $5.8
$439.116
Amazon EventBridge
$0
AWS Systems Manager Automation Step count: Total steps (101,000)– Free tier (100,000) = billable basic steps (1,000) 1,000 basic steps * $0.002/basic step*200 accounts = $400 Step duration: (1,000,000 seconds aws:executeScript duration – 5,000 seconds Free tier)* 0.00003/second = $29.85 Total monthly charges = $400 + $29.85= $429.85
$429.85
Total Cost per month
$2,283.966
最后更新于