- AWS Security Hub
- AWS Security Hub Pricing
AWS Security Hub Pricing
Prioritizes your critical security issues and helps you respond at scale
Pricing Overview
AWS Security Hub prioritizes your critical security issues and unifies your security operations to help you respond at scale. It detects critical issues by correlating and enriching signals across multiple AWS security services, for example, from Amazon GuardDuty for threat detection and Amazon Inspector for vulnerability management. This enables you to surface and prioritize risks in your environment. Security Hub transforms signals into actionable insights that reduce security risks, improve your team's productivity, and protect your environment.
The Essentials plan is the default level of coverage included with Security Hub. It provides risk analytics, vulnerability management, security posture management, and security response management. Additional coverage is available through enhanced capabilities.
Pricing Details
-
Essentials plan
-
Add-on capabilities
-
Extended plan
-
Essentials plan
-
The Essentials plan provides risk analytics, vulnerability management, security posture management, and security response management. It is the default level of coverage included with Security Hub. Essentials plan charges are based on all monitored resources, regardless of which capabilities you use.
Essentials plan
CapabilityPowered byStandard pricingSecurity Hub Essentials planPricing approachAWS Security Hub
Pay for each security feature separately
Consolidated per- resource pricing (unlimited scans)
Risk and exposure analyticsAWS Security Hub
Not available
Included
Resource inventoryAWS Security Hub
Not available
Included
Workflow automationAWS Security Hub
Not available
Included
Automation rulesAWS Security Hub CSPM
Per one million rule evaluations
Included
Finding ingestion eventsAWS Security Hub CSPM
First 10,000 free; Over 10,000 per event
Included
Posture management (CSPM)AWS Security Hub CSPM
Per check
Included
EC2 vulnerability scanningAmazon Inspector
Per instance
Included
EC2 CIS Benchmark assessmentAmazon Inspector
Per assessment per instance
Included
ECR vulnerability scanningAmazon Inspector
Per image (on-push);
Per rescan (retained images)Included
Lambda vulnerability scanningAmazon Inspector
Per Lambda function
Included
Pricing is pro-rated based on the time resources are monitored per month. For detailed information on how pricing is calculated, see our FAQ.
Even though all supported resources are monitored for security risk, per-resource pricing only applies to four primary resource types: EC2 instances, ECR container images, Lambda functions, and IAM users and roles. All other monitored resources are included.
Pricing is anchored on Amazon EC2 instances as 1 resource unit, with AWS Lambda functions at 1/12 of a resource unit (12 functions = 1 resource unit), Amazon ECR container images at 1/18 of a resource (18 images = 1 resource unit), and AWS IAM users and roles at 1/125 of a resource (125 IAM resources = 1 resource unit).
-
Add-on capabilities
-
Add-on capabilities are optional enhancements to your essentials plan. Each add-on is priced separately based on usage and requires the essentials plan to be enabled.
- Threat analytics powered by Amazon GuardDuty detects potential security threats and unauthorized activities across your AWS environment. Charges are based on the volume of events and data processed per month.
Threat analytics
CapabilityPowered byStandard pricingSecurity Hub threat analytics (requires Security Hub essentials)CloudTrail threat analyticsAmazon GuardDuty
Per one million events
Per one million events
VPC & DNS logs threatAmazon GuardDuty
Per GB
Per GB
EC2/EBS malware protectionAmazon GuardDuty
Per GB
Included
S3 threat analyticsAmazon GuardDuty
Per one million events
Per GB
EKS threat analyticsAmazon GuardDuty
Per one million events
Per GB
Lambda threat analyticsAmazon GuardDuty
Per GB
Per GB
- Lambda code scanning powered by Amazon Inspector identifies security vulnerabilities in Lambda function code. Charges are based on the number of Lambda functions scanned per month.
AWS Lambda code scanning
CapabilityPowered byStandard pricingLambda code scanning (requires Security Hub Essentials plan)Lambda code scanningAmazon Inspector
Per Lambda function
Per Lambda function
Note: When you enable Security Hub, billing for included capabilities is consolidated through Security Hub streamlined pricing. All other AWS security service capabilities (including remaining Amazon GuardDuty and Amazon Inspector capabilities) not included in Security Hub plans retain their original service billing.
-
Extended plan
-
The Extended plan adds enterprise security with curated partner solutions across endpoint, identity, email, network, data, browser, cloud, artificial intelligence, and security operations. Charges are based on the specific curated partner solutions you enable, with pricing varying by security category and usage dimension. Pay-as-you-go pricing applies with no upfront commitment. Select a category below to view available solutions and pricing.
-
Endpoint
-
Identity
-
Email
-
Network
-
Data
-
Browser
-
Cloud
-
Artificial Intelligence
-
Security Operations
-
Endpoint
-
Endpoint
Protect endpoints with AI-powered detection & response that feeds directly into Security Hub.
CategoryCurated partner solutionPricing dimensionPriceEndpointCrowdStrike (Falcon for Endpoint)
Per endpoint per month
$9.75 (Fargate Container Protection);
$13 (Workstations); $16.25 (Servers);
$22.75 (Host protection); $52 (Container cluster and node)CrowdStrike — Falcon for Endpoint Unifies next-generation antivirus, endpoint detection and response, and cloud workload protection through a single lightweight sensor that deploys in minutes. AI-powered prevention stops threats before damage occurs across workstations, servers, VMs, containers, and serverless workloads on AWS, Azure, OCI, and GCP.
-
Identity
-
Identity
Centralize IAM across your enterprise with authentication, privileged access, and governance.
CategoryCurated partner solutionPricing dimensionPriceIdentity Access Management (IAM)Okta (Workforce Identity for AWS)
Per user per month
$20 (10 users minimum)
Privileged Access Management (PAM)Britive (Privilege Access Management)
Per identity per month
$26 (NHI 1/10 of an identity);
10 minimum)Identity Governance and Administration (IGA)SailPoint (Identity Security Accelerator)
Per identity per month
$5.65 (2,500 minimum)
Identity Governance and Administration (IGA)Opti (AI-Native Identity)
Per human identity per month
$4.65 (2,000 human identity min;
All NHI are no additional charge)Okta — Workforce Identity for AWS Unified identity solution securing employees, contractors, and partners through Single Sign-On, Phishing-Resistant MFA, and Universal Directory as a single source of truth across AD and HR systems. Includes Silver Support and five automated Workflows.
Britive — Privilege Access Management Cloud-native PAM for human, agentic AI, and non-human identities that enforces zero standing privileges through dynamic, ephemeral access that auto-revokes when tasks complete. No endpoint software or architecture changes required.
SailPoint — Identity Security Accelerator AI-powered solution combining governance engine with end-to-end application discovery, risk-based prioritization, and zero-touch onboarding. Bring hundreds of apps under governance in days, not months.
Opti — AI-Native Identity Continuously monitors, analyzes, and remediates excessive permissions across human, non-human, and agentic identities in real time. Delivers OCSF-compliant findings directly into Security Hub, eliminating manual access reviews.
-
Email
-
Email
Defend the email attack surface with advanced threat detection.
CategoryCurated partner solutionPricing dimensionPriceEmailProofpoint (Collaboration Protection)
Per user per month
$5.00 (750 users minimum)
Proofpoint — Collaboration Protection Deploys in under 48 hours with 99.999% efficacy powered by the Nexus AI threat detection stack combining threat intelligence, ML, relationship graphs, LLMs, and computer vision. Stops BEC, AI-driven exploits, ransomware, email bombing, callback phishing, and advanced social engineering.
-
Network
-
Network
Secure access to private applications with zero trust architecture to mitigate lateral movement.
CategoryCurated partner solutionPricing dimensionPriceNetworkZscaler SSE (Private Access Platform)
Per seat per month
$545 (0-50 Flat fee);
$10.50 (51-100 seats);
$9.50 (101-1000 seats);
$8.25 (1001+ seats)Zscaler SSE — Private Access AI-powered Zero Trust Network Architecture delivering direct connectivity to private applications while minimizing attack surface, eliminating lateral movement through AI-powered user-to-app segmentation, and protecting against sophisticated attacks with integrated traffic inspection.
-
Data
-
Data
Discover, classify, & protect data across the environment with automated posture management.
CategoryCurated partner solutionPricing dimensionPriceDataCyera (DSPM + Datawatcher)
Per TB per month
$73 (250-500 TB);
$65 (501-1000 TB);
$53 (1001+ TB);
Required minimum of 250 TB;
Datawatcher 12% of total spendCyera DSPM + Datawatcher — Autonomously discovers and classifies sensitive data across IaaS and DBaaS, correlates access and exposure risk, and drives prioritized remediation at scale. Optional Datawatcher add-on provides expert-led risk analysis and ongoing support.
-
Browser
-
Browser
Protect your workforce with enterprise browser security that deploys in minutes.
CategoryCurated partner solutionPricing dimensionPriceBrowserIsland (Safe browsing and AI protection)
Per user per month
$8.50
Island Safe Browsing and AI Protection — Transforms Chrome and Edge into secure work environments through a lightweight extension with inline URL categorization, real-time malware inspection, and advanced anti-phishing protection. AI Protection provides policy controls over AI apps, prompts, and behavior.
-
Cloud
-
Cloud
Strengthen your security posture with runtime-powered protection across your cloud infrastructure.
CategoryCurated partner solutionPricing dimensionPriceCloudUpwind (Cloud Security)
Per resource per month
$3.75
Upwind Cloud Security — Cloud-native application protection leveraging runtime context across posture management, detection and response, vulnerability management, data security, and AI security. Real-time protection across AWS, other clouds, and on-premises.
-
Artificial Intelligence
-
Artificial Intelligence
Secure AI models, pipelines, and runtime environments with purpose-built protection for AI & agents.
CategoryCurated partner solutionPricing dimensionPriceArtificial IntelligenceNoma (AI-SPM + Discovery) (Noma Red Teaming) (Noma Runtime Protection)
Per resource per month; per test/month million tokens/mo
$130 resource/month (125 minimum);
$650 test/month (167 minimum);
$8/million tokens/mo (hybrid)|(3,500 minimum);
$16/million tokens/mo (hosted)|(1,750 minimum)Artificial IntelligenceOligo (AI Runtime Security)
Per host per month
$46 (100 host min)
Noma AI-SPM + Discovery, Red Teaming, Runtime Protection — AI security purpose-built for AI and agents across homegrown applications, SaaS agents, and developer environments. Three core capabilities: posture management to discover assets, red teaming to test against adversarial attacks, and runtime protection to block threats like prompt injection.
Oligo AI Runtime Security — Unified sensor combining AI Security Posture Management and AI Detection & Response for continuous monitoring of model behavior, supply chain risks, and runtime anomalies. Monitors agent tool calls in real time to detect adversarial manipulation and hallucination.
-
Security Operations
-
Security Operations
Accelerate threat detection and response with enterprise-grade SIEM and agentic response.
CategoryCurated partner solutionPricing dimensionPriceSecurity OperationsSplunk (Enterprise Security for Security Hub)
Per Splunk Virtual Compute (SVC) per month. Monthly storage in 500GB blocks
10-49 SVCs: $1,600 per SVC per month;
50-99 SVCs: $1,025 per SVC per month;
100-199 SVCs: $845 per SVC per month;
200-499 SVCs: $730 per SVC per month;
500+ SVCs: $525 per SVC per month;Storage in increments of 500GB blocks: $110 per 500GB block per month
Pricing Additional Details:
- Note: Requires Min. Purchase of 10 SVCs.
- Splunk prices differ by region.
Find below region-specific uplifts:
AMER 1.0x | EMEA 1.15x | ANZ 1.25x | APAC 1.5xSecurity Operations7AI (Agentic Security Platform)
Per alert analyzed per month
$20
Splunk — Enterprise Security Essentials Fuses AWS Security Hub's high-fidelity insights with Splunk's security monitoring and analytics, elevating AWS findings as native Splunk findings in near real-time. Enriches findings with a proprietary correlation engine, AI, and threat intelligence to significantly reduce mean time to detect.
7AI — Agentic Security Operations Autonomous security operations through dynamic AI agents that run full investigations in minutes with expert-level reasoning. Optimizes detection rules to reduce false positives and proactively hunts for threats across cloud, identity, endpoint, network, and DLP sources.
-
Estimate your costs before you start
Before enabling Security Hub, use the Security Hub Cost Estimator to understand your total estimated spend across your entire organization. This tool analyzes your actual AWS resources and current security service usage to provide accurate cost projections across all your accounts and regions. This estimator does not include Extended plan pricing. See how Security Hub streamlined pricing compares to your current individual service costs, identify potential savings, and plan your security budget with confidence—all before starting your free trial.
AWS Security Hub Free Trial Summary
Try AWS Security Hub at no cost with a 30-day free trial that includes essentials plan capabilities. Every AWS account in each Region enabled with Security Hub receives a free trial, even if you previously used AWS Security Hub CSPM or Amazon Inspector free trials. Add-on capabilities (threat analytics powered by Amazon GuardDuty and AWS Lambda code scanning powered by Amazon Inspector) and the Extended plan are not included in the Security Hub free trial, though individual service free trials still apply if you have not used them previously. To help you plan ahead, use the Security Hub Cost Estimator to calculate your expected costs before enabling the service. During the free trial, you can monitor your usage through your AWS billing console to estimate your ongoing costs based on actual usage during the free trial.
Benefits
The Security Hub essentials plan is the default level of coverage you receive when you enable Security Hub and is required for all Security Hub functionality. It provides security capabilities including risk and exposure analytics, vulnerability management, security posture management, and security response management.
Gain streamlined vulnerability management with unified resource pricing for EC2 instance scans (both agent based and agentless), unlimited CIS Benchmark assessments, predictable ECR container image monitoring costs, and flat monthly Lambda function monitoring rates. This consolidation eliminates the complexity of managing multiple pricing models while providing more comprehensive vulnerability coverage.
Benefit from transitioning from usage-based to resource-based pricing while gaining more comprehensive vulnerability correlation capabilities, unlimited security checks and finding ingestions, and enhanced compliance monitoring against industry standards with automatic correlation to Amazon Inspector vulnerability data. This shift provides cost predictability while expanding security capabilities.
The threat analytics powered by Amazon GuardDuty is available as an add-on that enhances your essentials plan by identifying active threats. When you enable the threat analytics plan, you benefit from the Security Hub consolidated pricing model while gaining enhanced risk context through automatic correlation of threat detection findings with vulnerability and compliance data from the essentials plan.
The Extended plan adds curated partner solutions across nine security categories: endpoint, identity, email, network, data, browser, cloud, artificial intelligence, and security operations. Simplify procurement with one bill, consolidated support, and pay-as-you-go pricing with no upfront commitment. Enable solutions directly from the Security Hub console, start with what you need, and expand coverage as your security needs evolve, extending protection beyond AWS to your multicloud and on-premises environments.
Beyond cost consolidation, the Security Hub essentials plan transforms security operations through automatic correlation of vulnerability findings with compliance checks, reducing alert noise through exposure prioritization. Security teams can focus on contextualized risks that combine threats and vulnerability severity with network exposure and misconfiguration gaps, all while benefiting from centralized operations, automated remediation workflows, and the flexibility to expand into more comprehensive coverage as security needs evolve.
Pricing Examples
Example 1: Small to medium organization
You have one AWS Region, US East (N. Virginia), and one account in your AWS deployment. In one month, your Security Hub environment analyzes 2 million CloudTrail management events, 800 GB of data events, network activity, and other logs, and monitors 500 EC2 instances for security risks.
Monthly cost calculation:
Security Hub essentials plan
EC2 instances: 500 × 1 unit = 500 units
Security Hub essentials plan total: 500 resource units × $3.75 per resource = $1,875.00
Threat analytics
CloudTrail management events: 2 million events at $4.00 per million events = $8.00
Data events, network activity, and other logs: 800 GB at $0.55 per GB (first 1,000 GB tier) = $440.00
Threat analytics total: $8+$440 = $448.00
Total monthly cost = $2,323.00
Example 2: Large organization
You have a large enterprise AWS deployment with a mix of different resource types. In one month, your Security Hub environment processes 100 million CloudTrail management events, 500 TB of security data from logs and events, and monitors a diverse set of AWS resources: 1,000 EC2 instances, 1,800 container images, 1,200 Lambda functions, and 120 IAM users.
Monthly cost calculation:
Security Hub essentials plan
EC2 instances: 1,000 × 1 unit = 1,000 units
ECR container images: 1,800 × 1/18 unit = 100 units
Lambda functions: 1,200 × 1/12 unit = 100 units
IAM users and roles: 1,250 × 1/125 unit = 10 units
Total resource units: 1,000 + 100 + 100 + 10 = 1,210 units
Security Hub essentials plan total: = 1,210 resource units × $3.75 per resource = $4,537.50
Threat analytics
CloudTrail management events: 100 million events at $4.00 per million events = $400.00 Data events, network activity, and other logs:
For 500 TB (512,000 GB total), the calculation is:
first 1,000 GB at $0.55 per GB = $550.00
next 9,000 GB at $0.25 per GB = $2,250.00
and remaining 502,000 GB at $0.10 per GB = $50,200.00
Total= $53,000.00
Threat analytics total: $400 + $53,000= $53,400.00
Total monthly cost = $57,937.50
Pricing Resources
FAQs
Open allSecurity Hub offers a 30-day free trial that includes Security Hub essentials plan capabilities, which uses resource-based pricing. Every AWS account in each Region receives a free trial, and you remain eligible even if you previously used AWS Security Hub CSPM or Amazon Inspector free trials. Add-on capabilities including threat analytics by Amazon GuardDuty and AWS Lambda code scanning powered by Amazon Inspector and the Extended plan are not included in the Security Hub free trial. After the free trial, costs are based on the AWS resources you monitor (EC2 instances, container images, Lambda functions, IAM users/roles) and threat analytics usage (CloudTrail events and log data volume).
Security Hub offers the Essentials plan as the default, with the ability to add Threat Analytics or Lambda Code Scanning capabilities as needed. The Essentials plan includes risk analytics, vulnerability management, security posture management, and security response management. Threat Analytics adds Amazon GuardDuty-powered monitoring of AWS account activity, VPC flow logs, DNS logs, and other security data. The Extended plan adds enterprise security with curated partner solutions across endpoint, identity, email, network, data, browser, cloud, artificial intelligence, and security operations. See the plan details section for complete feature descriptions.
- Risk and exposure analytics - Automatically identifies and prioritizes your most critical security issues by correlating findings across your environment, helping you focus on what matters most and respond faster to threats.
- Vulnerability management - Continuously scans your EC2 instances, container images, and Lambda functions for software vulnerabilities and configuration weaknesses, enabling you to remediate security gaps before they can be exploited.
- Security posture management - Evaluates your AWS environment against industry security standards and best practices to identify misconfigurations, helping you maintain compliance and reduce your attack surface.
- Security response management - Provides a centralized view of your security findings with automated workflows, enabling your team to investigate and remediate issues more efficiently across your entire AWS environment.
The Security Hub essentials plan delivers security protection across four key areas:
Together, these capabilities help you reduce security risks, improve team productivity, and maintain a strong security posture across your cloud infrastructure.
Yes, Security Hub monitors all relevant AWS resources in your environment to provide more comprehensive security coverage. Essentials plan pricing is based on four resource types: EC2 instances, ECR container images, Lambda functions, and IAM users and roles. This simplified pricing model makes it easier to estimate and manage your Security Hub costs.
No, you don't need both plans. The Security Hub essentials plan is the default level of coverage you receive when you enable Security Hub and is required for all Security Hub functionality. It provides security capabilities including risk and exposure analytics, vulnerability management, security posture management, and security response management. The threat analytics plan is an add-on that enhances your essential plan with threat monitoring capabilities powered by Amazon GuardDuty.
The threat analytics plan cannot be used alone - it requires the Security Hub essentials plan as its foundation. You can start with just the essentials plan and add threat analytics capabilities later as your security monitoring needs evolve.
AWS provides a cost estimation tool to help you estimate Security Hub costs before enabling the service. This estimator covers the Essentials plan and add-on capabilities (Threat Analytics and Lambda code scanning) but does not include Extended plan pricing. See Security Hub Cost Estimator page for more details.
The Security Hub essentials plan combines Amazon Inspector and AWS Security Hub CSPM capabilities into a single, predictable resource-based pricing model that simplifies costs while enhancing security operations.
Existing Amazon Inspector customers gain streamlined vulnerability management with unified resource pricing for EC2 instance scans (both agent based and agentless), unlimited CIS Benchmark assessments, predictable ECR container image monitoring costs, and flat monthly Lambda function monitoring rates. This consolidation eliminates the complexity of managing multiple pricing models while providing comprehensive vulnerability coverage.
Security Hub CSPM customers benefit from transitioning from usage-based to resource-based pricing while gaining more comprehensive vulnerability correlation capabilities, unlimited security checks and finding ingestions, and enhanced compliance monitoring against industry standards with automatic correlation to Amazon Inspector vulnerability data. This shift provides cost predictability while expanding security capabilities.
Beyond cost consolidation, the Security Hub essentials plan transforms security operations for all customers through automatic correlation of vulnerability findings with compliance checks, reducing alert noise through exposure prioritization. Security teams can focus on contextualized risks that combine vulnerability severity with network exposure and compliance gaps, all while benefiting from centralized operations, automated remediation workflows, and the flexibility to expand into more comprehensive threat detection as security needs evolve.
Existing billing for security services seamlessly transitions to Security Hub streamlined pricing with no action required. You'll receive consolidated charges under Security Hub instead of separate service bills for the capabilities included in Security Hub plans.
Security Hub provides account-level flexibility within AWS Organizations. When you enable Security Hub in an account, that account receives streamlined pricing across security services. When you don't enable Security Hub in an account, that account uses individual service pricing for each security service. This means within a single AWS Organization, you can have some accounts using Security Hub streamlined pricing model while other accounts continue with individual service pricing, determined at the account level based on whether Security Hub is enabled in that specific account.
EC2 instances: Average number of EC2 instances = (total hours of active instances / number of hours in a month, i.e., 720 hours). For example, you have 3 instances that were active for different amounts of time during a month: The first for 360 hours, the second for 350 hours, and the third for 10 hours, adding up to a total of 720 hours of active instances. Therefore, 720 hours total of instances being scanned that month / 720 hours in the month = 1 average EC2 instance.
Container images: Number of container images scanned = Number of container images pushed to Amazon ECR each month plus number of container images that are in scope for re-scanning during the month, based on Amazon Inspector re-scan configuration. Amazon Inspector performs an initial scan of each container image pushed to Amazon ECR. Additionally, Amazon Inspector re-scans container images for new vulnerabilities based on the time frames you configure for image push date, image pull date, and image last in-use date. Example: You have 5,000 images in your Amazon ECR repository and push 500 additional images to Amazon ECR in a month. You have configured image monitoring for 14 days based on the last in-use date. During the month, 75 container images from the repository are deployed to Amazon ECS or Amazon EKS clusters. Amazon Inspector monitors and charges based on the actual duration each image is monitored within your configured window - this includes both the 75 active images while they remain in use and the 500 newly pushed images for their respective monitoring periods. Note that charges apply only for the time each image is actually monitored (up to 14 days by default), not necessarily for the entire month, and this monitoring period can be customized based on your needs.
Lambda functions: Eligible Lambda functions are based on functions marked $LATEST and were invoked or updated in the last 90 days. Average number of Lambda functions = (total hours of Security Hub coverage for a Lambda function)/ (number of hours in a month, i.e., 720 hours). Security Hub coverage hours represent the time from when the Lambda function is deployed to the time it is deleted.
Example: You have 3 deployed Lambda functions that were monitored by Security Hub for different amounts of time during a month: The first for 720 hours, the second for 350 hours, and the third for 10 hours, adding up to a total of 1,080 hours of deployed Lambda functions being scanned. Therefore, 1,080 hours total of Lambda functions being scanned that month / 720 hours in the month = 1.5 average Lambda functions.
IAM users and roles: Average number of IAM users and roles = Number of IAM users or roles that existed during the month, prorated daily.
Capabilities not explicitly listed in the Security Hub plans continue to be billed through their original services. For example, you will only receive GuardDuty billing for any remaining GuardDuty capabilities that are not included in the threat analytics plan.
Yes, individual services like Amazon Inspector, GuardDuty, and Security Hub CSPM remain available with their standard pricing when Security Hub is not enabled.
The Security Hub Extended plan adds enterprise security with curated partner solutions across endpoint, identity, email, network, data, browser, cloud, artificial intelligence, and security operations. Extended plan charges are based on the specific partner solutions you enable, with pricing varying by security category and usage dimension. Unlike the Essentials plan, which uses resource-based pricing anchored on AWS resources, Extended plan pricing is solution-specific and based on dimensions appropriate to each security category — such as per user, per endpoint, or per TB. You can add the Extended plan to enhance your Security Hub coverage beyond AWS environments to your entire organization.