Amazon Security Lake Pricing

Standard S3 charges apply (see Amazon S3 pricing) 

Example 1: Enabling Security Lake in one Region with a preexisting CloudTrail organization trail

You enter a new billing month for your US East (N. Virginia) deployment. Security Lake has ingested 256 GB of CloudTrail management events, 256 GB of CloudTrail data events (for example, S3 object-level API operations), and 1,024 GB of other AWS security event data (from Amazon VPC Flow Logs, Amazon Route 53 Resolver query logs, or security findings from AWS Security Hub).
Security Lake charges in US East (N. Virginia) would be calculated as follows:

512 GB of CloudTrail logs ingested at $0.75 per GB = 512 * $0.75 = $384.00
1,024 GB of other AWS logs ingested at $0.25 per GB = 1,024 * $0.25 = $256.00
1,536 GB of data normalization charges ingested at $0.035 per GB = 1,536 * $0.035 = $53.76
The total monthly charges for your Security Lake bill will be $693.76.

Example 2: Enabling Security Lake in one Region and creating a new CloudTrail organization trail

In the event that you don’t have a preexisting AWS CloudTrail organization trail for your AWS organization, you must create one before ingesting CloudTrail management events in Security Lake. Deploying an organization trail is a recommended best practice, and AWS provides tooling, such as AWS Control Tower, to migrate your individual account trails to an organization trail. If you choose to deploy a new organization trail for your organization and have preexisting individual account trails, your CloudTrail bill will increase due to the delivery of additional management event copies from the new organization trail.

You enter a new billing month for your US East (N. Virginia) deployment. Security Lake has ingested 256 GB of CloudTrail management events, 256 GB of CloudTrail data events (for example, S3 object-level API operations), and 1,024 GB of other AWS security event data (from Amazon VPC Flow Logs, Amazon Route 53 Resolver query logs, or security findings from AWS Security Hub).

You have existing CloudTrail management usage across your member account trails of 186,991,773 events (which corresponds to the 256 GB volume of management events that you ingest in Security Lake for an average management event size of 1,470 bytes). You receive only one copy of these events in CloudTrail so they do not incur an additional charge (see the AWS Free Tier page).

The total monthly charges for your Security Lake bill will be $693.76 (same as example 1).

The incremental CloudTrail charges in your CloudTrail bill would be calculated as follows:
186,991,773 events delivered as management events copies at $2.00 per 100,000 events = 186,991,773 / 100,000 * $2.00 = $3,739.84

The total additional CloudTrail charges across member accounts will be $3,739.84.
See AWS CloudTrail pricing for more details.

Note: Amazon Security Lake usage is calculated in binary gigabytes, where 1 GB is 2^30 bytes. This unit of measurement is also known as a gibibyte, defined by the International Electrotechnical Commission (IEC). Similarly, 1 TB is 2^40 bytes, which is 1,024 GB.

Is there a free trial of Security Lake?
Yes. You can try Security Lake for 15 days at no cost with any new account to Security Lake with the AWS Free Tier. You will have access to the full set of features during the free trial.

How do I estimate the cost of the initial enablement of Security Lake in my account?
A: You can enable the service and take advantage of the 15-day free trial. During that period, you can access a usage tab in the Security Lake console that will estimate your usage. Security Lake prices are based on two dimensions: data ingestion and data normalization.

Monthly costs are determined by the volume of log and event data ingested from AWS services per gigabyte. Your data is stored in Amazon S3 and standard Amazon S3 charges apply. Security Lake also orchestrates other AWS services on your behalf. You will incur separate charges for AWS services used and resources set up as part of your security data lake. See pricing for AWS Glue, Amazon EventBridge, AWS Lambda, Amazon SQS, and Amazon SNS. You are responsible for costs that you incur by querying data from Security Lake and storing query results.

How does Security Lake help me optimize my log retention strategy?
Many customers must store extensive volumes of security-related logs to meet compliance mandates while optimizing storage costs and security analytics. With Security Lake, customers can cost-effectively store their security logs in their Amazon S3 account. Security Lake simplifies data management by offering customizable retention setting and automated storage tiering. It automatically partitions and converts incoming security data into a storage and query-efficient Apache Parquet format. Security Lake uses the Apache Iceberg open table format to enhance query performance for your security analytics.

Customers gain flexibility in managing their logs, allowing them to choose which logs to retain for compliance, which logs to send for deeper analysis to their analytics solutions, and which logs to query in place for incident investigation purposes. Security Lake helps the customer retain logs that were previously unfeasible to store and extend storage beyond their typical retention policy within their Security information and event management (SIEM).

How do I monitor spend in multi-account configuration?
A: If deployed in a multi-account configuration, usage is rolled up to the management account in AWS Organization to provide total usage for all accounts and a breakdown of usage by individual account. This helps you review and monitor Security Lake spend across your entire organization. The Usage page of the Security Lake console lets you review your current Security Lake usage, as well as future usage and cost estimates. If you’re currently participating in a 15-day free trial, your usage during the trial can help you estimate your costs for using Security Lake after your free trial ends

Is there a charge to bring third-party or your own data to centralize in Security Lake?
A: No. There is no Security Lake charge for bringing third-party or your own data to centralize in Security Lake. Your data is stored in Amazon S3 and standard Amazon S3 charges apply.

How does the pricing for AWS logs consumed directly compare to centralizing them through Amazon Security Lake?
A: Security Lake charges what you would pay the originating service, plus a conversion fee to normalize logs and events that come from natively-supported AWS services to the OCSF schema and covert to Apache Parquet format ($ 0.035 per GB). For AWS CloudTrail sources, the price is based on data events, which are charged at $0.10 per 100,000 data events delivered. Security Lake offers a comparable pricing, but is based on GB of data instead. Other logs follow the Amazon CloudWatch vended logs pricing.

Is the delegated account billed for all consolidated logs, or all accounts in an AWS Organization individually billed based on their usage?
No, the delegated account in which Security Lake runs is not billed for all accounts. This accounts only incurs the charges of log collection for this account, along with any costs related to the data lake components orchestrated by Security Lake in this account, such as Amazon S3, AWS Lambda, Amazon SQS, AWS Glue, or Amazon EventBridge. Each account can see its own usage on its bill, but the member account bills are for informational purpose only, as the consolidated bill is paid by the organization management account. This billing structure is standard across services that use AWS organization billing consolidation.

Is Security Lake an incremental expense?
No. Security Lake can streamline your existing log collections. By deprecating duplicate copies of AWS CloudTrail or individual VPC Flow Logs, you can offset any costs incurred by Security Lake.