Amazon Inspector is an automated and continual vulnerability scanning service that assesses Amazon Elastic Compute Cloud (EC2) instances, AWS Lambda functions, and container images to improve the security and compliance of infrastructure workloads. Your monthly costs are determined based on the different workloads scanned:
Amazon EC2 instance scans: Each EC2 instance is continually scanned for software vulnerabilities and unintended network exposure. Total monthly cost is based on the average* number of EC2 instances assessed within a month. For instances that are run intermittently, the price is prorated based on total time run within a month.
Amazon ECR container image scans: Each container image pushed to Amazon ECR that is configured for Amazon Inspector scanning is assessed for software vulnerabilities. Total monthly cost is based on a combination of the number of images initially scanned when pushed into Amazon ECR and the number of times those images are rescanned per month.
AWS Lambda standard scans: Each deployed Lambda function is continually assessed for software package vulnerabilities. Total monthly cost is based on the average number of Lambda functions scanned per month. The price is prorated based on total Amazon Inspector coverage hours (the number of hours from when the function was discovered by Amazon Inspector, to when it was deleted or excluded from scanning) for Lambda functions within a month.
With Amazon Inspector, you pay only for what you use, with no minimum fees and no upfront commitments.
All accounts new to Amazon Inspector are eligible for a 15-day free trial to evaluate the service and estimate its cost. During the trial, all eligible Amazon Elastic Compute Cloud (EC2) instances, AWS Lambda functions, and container images pushed to Amazon Elastic Container Registry (ECR) are continually scanned at no cost.
Additionally, you can review estimated spend in the Amazon Inspector console, including aggregated organization-wide spend in the central Amazon Inspector administrator account. This way, you can understand and estimate the cost of using Amazon Inspector for automated and continual vulnerability scans across EC2, Amazon ECR, and Lambda functions for your entire organization before moving to paid usage.
*Average number of EC2 instances = (total hours of active, supported instances being scanned) / (number of hours in a month, i.e., 720 hours). For example, you have 3 supported instances that were active and being scanned for different amounts of time during a month: The first for 360 hours, the second for 350 hours, and the third for 10 hours, adding up to a total 720 hours of active, supported instances being scanned. Therefore, 720 hours total of instances being scanned that month / 720 hours in the month = 1 average EC2 instance.
**Average number of Lambda Functions = (total hours of Amazon Inspector coverage for a Lambda function) / (number of hours in a month, i.e., 720 hours). For example, you have 3 deployed Lambda functions that were scanned for different amounts of time during a month: The first for 720 hours, the second for 350 hours, and the third for 10 hours, adding up to a total 1080 hours of deployed Lambda functions instances being scanned. Therefore, 1080 hours total of Lambda functions being scanned that month / 720 hours in the month = 1.5 average Lambda functions.
Pricing examples
Example 1: Amazon EC2 instance scanning
You enter a new billing month for your US East (N. Virginia) deployment featuring 10 Amazon EC2 instances with the AWS Systems Manager agent installed and configured for Amazon Inspector scanning. These instances run all month. Additionally, 10 more instances are launched and continually scanned with Amazon Inspector during this monthly billing period. However, each of these new instances is active for only 15 days during the billing period. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
10 EC2 instances scanned for all 30 days at $1.25 each = 10 * $1.25 = $12.50
10 EC2 instances scanned for only 15 days, resulting in an average of 5 instances, at $1.25 each = 5 * $1.25 = $6.25
For the month, your Amazon Inspector bill would be $18.75.
Example 2: Amazon ECR container image with continual scanning
You enter a new billing month for your US East (N. Virginia) deployment with 500 previously pushed, scanned, and retained container images from the last 30 days in an ECR repository configured for continual scanning. You also push 1,000 new container images to the same repository during the month. Your costs will include the 1,000 new container images initially scanned when they are pushed into ECR as well as a charge for rescanning the total of 1,500 retained container images. For this month, there were updates to the Amazon Inspector vulnerability database, which invoked 15 rescans. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
1,000 newly pushed container images initially scanned at $0.09 each = 1,000 * $0.09 = $90.00
(1,000 newly pushed container images + 500 previously pushed and scanned container images already in the repository = 1,000 + 500 = 1,500 total images in the repository)
1,500 images, each rescanned an average of 15 times, at $0.01 per rescan = 1,500 * 15 * $0.01 = $225.00
For the month, your Amazon Inspector bill would be $315.00.
Example 3: Amazon ECR container image with on-push scanning
You enter a new billing month for your US East (N. Virginia) deployment with 500 previously pushed, scanned, and retained container images in an Amazon ECR repository configured for on-push scanning. You push 1,000 new container images to the same repository during the month. Your costs will include only the 1,000 new container images scanned when they are pushed into Amazon ECR. Since the repository is configured for on-push scanning, there will be no rescans and therefore no additional charges. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
1,000 newly pushed container images initially scanned at $0.09 each = $90.00
(There is no charge for the 500 previously scanned images.)
For the month, your Amazon Inspector bill would be $90.00.
Example 4: AWS Lambda function basic scanning
You enter a new billing month for your US East (N. Virginia) with 20 Lambda functions deployed. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
10 Lambda functions scanned for all 30 days at $0.30 per function = $3.00
10 Lambda functions scanned for only 15 days (i.e., deleted after 15 days) at $0.30 per function = $1.50
(There is no additional charge for rescanning)
For the month, your Amazon Inspector bill would be $4.50.
Additional pricing resources
Easily calculate your monthly costs with AWS
Contact AWS specialists to get a personalized quote
Find links to our developer's guide, helpful video, and console guides.
Get started building with Amazon Inspector in the AWS Management Console.