AWS Security Hub Pricing

Security Hub offers a 30-day free trial that includes Security Hub essentials plan capabilities, which uses resource-based pricing. Every AWS account in each Region receives a free trial, and you remain eligible even if you previously used AWS Security Hub CSPM or Amazon Inspector free trials. Add-on capabilities including threat analytics plan by Amazon GuardDuty and AWS Lambda code scanning powered by Amazon Inspector are not included in the Security Hub free trial. After the free trial, costs are based on the AWS resources you monitor (EC2 instances, container images, Lambda functions, IAM users/roles) and threat analytics plan usage (CloudTrail events and log data volume).

Security Hub offers the essentials plan as the default, with the ability to add threat analytics plan or Lambda code scanning capabilities as needed. The essentials plan includes risk analytics, vulnerability management, security posture management, and security response management. The threat analytics plan adds Amazon GuardDuty-powered monitoring of AWS account activity, VPC flow logs, DNS logs, and other security data. See the plan details section for complete feature descriptions.

The Security Hub essentials plan delivers security protection across four key areas:

• Risk and exposure analytics - Automatically identifies and prioritizes your most critical security issues by correlating findings across your environment, helping you focus on what matters most and respond faster to threats.
• Vulnerability management - Continuously scans your EC2 instances, container images, and Lambda functions for software vulnerabilities and configuration weaknesses, enabling you to remediate security gaps before they can be exploited.
• Security posture management - Evaluates your AWS environment against industry security standards and best practices to identify misconfigurations, helping you maintain compliance and reduce your attack surface.
• Security response management - Provides a centralized view of your security findings with automated workflows, enabling your team to investigate and remediate issues more efficiently across your entire AWS environment.

Together, these capabilities help you reduce security risks, improve team productivity, and maintain a strong security posture across your cloud infrastructure.

Yes, Security Hub monitors all relevant AWS resources in your environment to provide more comprehensive security coverage. Essentials plan pricing is based on four resource types: EC2 instances, ECR container images, Lambda functions, and IAM users and roles. This simplified pricing model makes it easier to estimate and manage your Security Hub costs.

No, you don't need both plans. The Security Hub essentials plan is the default level of coverage you receive when you enable Security Hub and is required for all Security Hub functionality. It provides security capabilities including risk and exposure analytics, vulnerability management, security posture management, and security response management. The threat analytics plan is an add-on that enhances your essential plan with threat monitoring capabilities powered by Amazon GuardDuty.

The threat analytics plan cannot be used alone - it requires the Security Hub essentials plan as its foundation. While most essentials plan features work independently, malware protection for Amazon EC2 is a special case: it's included in the essentials plan but only functions when you also have the threat analytics plan active, because it relies on GuardDuty threat detection to identify suspicious activity before scanning for malware.

You can start with just the essentials plan and add threat analytics capabilities later as your security monitoring needs evolve.

AWS provides a cost estimation tool to help you estimate Security Hub costs before enabling the service. See Security Hub Cost Estimator page for more details.

The Security Hub essentials plan combines Amazon Inspector and AWS Security Hub CSPM capabilities into a single, predictable resource-based pricing model that simplifies costs while enhancing security operations.

Existing Amazon Inspector customers gain streamlined vulnerability management with unified resource pricing for EC2 instance scans (both agent based and agentless), unlimited CIS Benchmark assessments, predictable ECR container image monitoring costs, and flat monthly Lambda function monitoring rates. This consolidation eliminates the complexity of managing multiple pricing models while providing comprehensive vulnerability coverage.

Security Hub CSPM customers benefit from transitioning from usage-based to resource-based pricing while gaining more comprehensive vulnerability correlation capabilities, unlimited security checks and finding ingestions, and enhanced compliance monitoring against industry standards with automatic correlation to Amazon Inspector vulnerability data. This shift provides cost predictability while expanding security capabilities.

Beyond cost consolidation, the Security Hub essentials plan transforms security operations for all customers through automatic correlation of vulnerability findings with compliance checks, reducing alert noise through exposure prioritization. Security teams can focus on contextualized risks that combine vulnerability severity with network exposure and compliance gaps, all while benefiting from centralized operations, automated remediation workflows, and the flexibility to expand into more comprehensive threat detection as security needs evolve.

Existing billing for security services seamlessly transitions to Security Hub streamlined pricing with no action required. You'll receive consolidated charges under Security Hub instead of separate service bills for the capabilities included in Security Hub plans.

Security Hub provides account-level flexibility within AWS Organizations. When you enable Security Hub in an account, that account receives streamlined pricing across security services. When you don't enable Security Hub in an account, that account uses individual service pricing for each security service. This means within a single AWS Organization, you can have some accounts using Security Hub streamlined pricing model while other accounts continue with individual service pricing, determined at the account level based on whether Security Hub is enabled in that specific account.

EC2 instances: Average number of EC2 instances = (total hours of active instances / number of hours in a month, i.e., 720 hours). For example, you have 3 instances that were active for different amounts of time during a month: The first for 360 hours, the second for 350 hours, and the third for 10 hours, adding up to a total of 720 hours of active instances. Therefore, 720 hours total of instances being scanned that month / 720 hours in the month = 1 average EC2 instance.

Container images: Number of container images scanned = Number of container images pushed to Amazon ECR each month plus number of container images that are in scope for re-scanning during the month, based on Amazon Inspector re-scan configuration. Amazon Inspector performs an initial scan of each container image pushed to Amazon ECR. Additionally, Amazon Inspector re-scans container images for new vulnerabilities based on the time frames you configure for image push date, image pull date, and image last in-use date. Example: You have 5,000 images in your Amazon ECR repository and push 500 additional images to Amazon ECR in a month. You have configured image monitoring for 14 days based on the last in-use date. During the month, 75 container images from the repository are deployed to Amazon ECS or Amazon EKS clusters. Amazon Inspector monitors and charges based on the actual duration each image is monitored within your configured window - this includes both the 75 active images while they remain in use and the 500 newly pushed images for their respective monitoring periods. Note that charges apply only for the time each image is actually monitored (up to 14 days by default), not necessarily for the entire month, and this monitoring period can be customized based on your needs.

Lambda functions: Eligible Lambda functions are based on functions marked $LATEST and were invoked or updated in the last 90 days. Average number of Lambda functions = (total hours of Security Hub coverage for a Lambda function)/ (number of hours in a month, i.e., 720 hours). Security Hub coverage hours represent the time from when the Lambda function is deployed to the time it is deleted.

Example: You have 3 deployed Lambda functions that were monitored by Security Hub for different amounts of time during a month: The first for 720 hours, the second for 350 hours, and the third for 10 hours, adding up to a total of 1,080 hours of deployed Lambda functions being scanned. Therefore, 1,080 hours total of Lambda functions being scanned that month / 720 hours in the month = 1.5 average Lambda functions.

IAM users and roles: Average number of IAM users and roles = Number of IAM users or roles that existed during the month, prorated daily.

Capabilities not explicitly listed in the Security Hub plans continue to be billed through their original services. For example, you will only receive GuardDuty billing for any remaining GuardDuty capabilities that are not included in the threat analytics plan.

Yes, individual services like Amazon Inspector, GuardDuty, and Security Hub CSPM remain available with their standard pricing when Security Hub is not enabled.