Amazon Inspector is an automated and continual vulnerability scanning service that assesses Amazon Elastic Compute Cloud (EC2) instances, AWS Lambda functions, and container images in Amazon ECR and within continuous integration and continuous delivery (CI/CD) tools to improve the security and compliance of infrastructure workloads. Your monthly costs are determined based on the different workloads scanned:
Amazon EC2 instance scans: Each EC2 instance is continually scanned for software vulnerabilities and unintended network exposure. This applies to both agent-based and agentless scanning. The total monthly cost is based on the average* number of EC2 instances assessed within a month. For instances that are run intermittently, the price is prorated based on total time run within a month.
Amazon ECR container image scans: Each container image pushed to Amazon ECR that is configured for Amazon Inspector scanning is assessed for software vulnerabilities. Total monthly cost is based on a combination of the number of images initially scanned when pushed into Amazon ECR and the number of times those images are rescanned per month.
On-demand container image scanning (includes scans initiated within CI/CD tools and by Amazon Inspector): Each container image is assessed within developer tools like Jenkins and TeamCity for software vulnerabilities. The cost is based on the number of images scanned in CI/CD tools per month, as well as the cost for on-demand scanning outside of CI/CD tools.
AWS Lambda standard scans: Each deployed Lambda function is continually assessed for software package vulnerabilities. Total monthly cost is based on the average number of Lambda functions scanned per month. The price is prorated based on total Amazon Inspector coverage hours (the number of hours from when the function was discovered by Amazon Inspector, to when it was deleted or excluded from scanning) for Lambda functions within a month.
AWS Lambda code scans: Each deployed Lambda function is continually assessed for code vulnerabilities, such as injection flaws and embedded secrets in the application code you write. The total monthly cost is based on the average number of Lambda functions scanned per month. The price is prorated based on total Amazon Inspector coverage hours for the scanned functions within a month. The number of hours reflect the duration from when the function was discovered by Amazon Inspector until the function was deleted or excluded from scanning.
With Amazon Inspector, you pay only for what you use, with no minimum fees and no upfront commitments.
All accounts new to Amazon Inspector are eligible for a 15-day free trial to evaluate the service and estimate its cost. During the trial, all eligible Amazon Elastic Compute Cloud (EC2) instances, AWS Lambda functions, and container images pushed to Amazon Elastic Container Registry (ECR) are continually scanned at no cost. For on-demand container image scanning within CI/CD tools,
you receive one-time free usage for 25 image assessments per account.
Additionally, you can review estimated spend in the Amazon Inspector console, including aggregated organization-wide spend in the central Amazon Inspector administrator account. This way, you can understand and estimate the cost of using Amazon Inspector for automated and continual vulnerability scans across EC2, Amazon ECR, and Lambda functions for your entire organization before moving to paid usage.
*Average number of EC2 instances = (total hours of active, supported instances being scanned) / (number of hours in a month, i.e., 720 hours). For example, you have 3 supported instances that were active and being scanned for different amounts of time during a month: The first for 360 hours, the second for 350 hours, and the third for 10 hours, adding up to a total 720 hours of active, supported instances being scanned. Therefore, 720 hours total of instances being scanned that month / 720 hours in the month = 1 average EC2 instance.
**Average number of Lambda Functions = (total hours of Amazon Inspector coverage for a Lambda function) / (number of hours in a month, i.e., 720 hours). Amazon Inspector coverage hours mean the time from Lambda function is deployed to the time it is deleted or excluded from Amazon Inspector scanning. For example, you have 3 deployed Lambda functions that were monitored by Amazon Inspector for different amounts of time during a month: The first for 720 hours, the second for 350 hours, and the third for 10 hours, adding up to a total 1080 hours of deployed Lambda functions instances being scanned. Therefore, 1080 hours total of Lambda functions being scanned that month / 720 hours in the month = 1.5 average Lambda functions.
Pricing examples
Example 1: Amazon EC2 instance scanning
You enter a new billing month for your US East (N. Virginia) deployment featuring 10 Amazon EC2 instances with the AWS Systems Manager agent installed and configured for Amazon Inspector scanning. These instances run all month. Additionally, 10 more instances are launched and continually scanned with Amazon Inspector during this monthly billing period. However, each of these new instances is active for only 15 days during the billing period. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
10 EC2 instances scanned for all 30 days at $1.258 each = 10 * $1.258 = $12.58
10 EC2 instances scanned for only 15 days, resulting in an average of 5 instances, at $1.258 each = 5 * $1.258 = $6.29
For the month, your Amazon Inspector bill would be $18.87.
Example 2: Amazon ECR container image with continual scanning
You enter a new billing month for your US East (N. Virginia) deployment with 500 previously pushed, scanned, and retained container images from the last 30 days in an ECR repository configured for continual scanning. You also push 1,000 new container images to the same repository during the month. Your costs will include the 1,000 new container images initially scanned when they are pushed into ECR as well as a charge for rescanning the total of 1,500 retained container images. For this month, there were updates to the Amazon Inspector vulnerability database, which invoked 15 rescans. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
1,000 newly pushed container images initially scanned at $0.09 each = 1,000 * $0.09 = $90.00
(1,000 newly pushed container images + 500 previously pushed and scanned container images already in the repository = 1,000 + 500 = 1,500 total images in the repository)
1,500 images, each rescanned an average of 15 times, at $0.01 per rescan = 1,500 * 15 * $0.01 = $225.00
For the month, your Amazon Inspector bill would be $315.00.
Example 3: Amazon ECR container image with on-push scanning
You enter a new billing month for your US East (N. Virginia) deployment with 500 previously pushed, scanned, and retained container images in an Amazon ECR repository configured for on-push scanning. You push 1,000 new container images to the same repository during the month. Your costs will include only the 1,000 new container images scanned when they are pushed into Amazon ECR. Since the repository is configured for on-push scanning, there will be no rescans and therefore no additional charges. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
1,000 newly pushed container images initially scanned at $0.09 each = $90.00
(There is no charge for the 500 previously scanned images.)
For the month, your Amazon Inspector bill would be $90.00.
Example 4: AWS Lambda function standard scanning
You enter a new billing month for your US East (N. Virginia) with 20 Lambda functions deployed. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
10 Lambda functions scanned for all 30 days at $0.30 per function = $3.00
10 Lambda functions scanned for only 15 days (i.e., deleted after 15 days) at $0.30 per function = $1.50
(There is no additional charge for rescanning.)
For the month, your Amazon Inspector bill would be $4.50.
Example 5: AWS Lambda function standard plus code scanning
You enter a new billing month for your US East (N. Virginia) with 20 Lambda functions deployed. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
10 Lambda functions scanned for all 30 days at $0.90 ($0.30+$0.60) per function = $9.00
10 Lambda functions scanned for only 15 days (i.e., deleted after 15 days) at $0.90 ($0.30+$0.60) per function = $4.50
(There is no additional charge for rescanning.)
For the month, your Amazon Inspector bill would be $13.50.
Example 6: Amazon EC2 agentless scanning
You enter a new billing month for your US East (N. Virginia) deployment with 10 Amazon EC2 instances with the AWS Systems Manager agent (SSM) installed and configured for Amazon Inspector EC2 scanning, and these instances are running all month. In addition, during this monthly billing period, 10 additional instances are launched and scanned with agentless scanning. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
10 EC2 instances scanned using SSM-agent based scanning, at $1.258 each = $12.58
10 EC2 instances scanned using agentless scanning, at $1.75 each = $17.50Lambs
For the month, your Amazon Inspector bill will be $30.08
Example 7: On-demand container image assessment (including within CI/CD tools)
You enter a new billing month for your US East (N. Virginia) deployment with 1000 container images within CI/CD tools. Amazon Inspector charges in US East (N. Virginia) would be calculated as follows:
1,000 container images within CI/CD tools, at $0.03 each = $30.00
For the month, your Amazon Inspector bill will be $30.00.
Additional pricing resources
Easily calculate your monthly costs with AWS.
Contact AWS specialists to get a personalized quote.