Cost
You are responsible for the cost of the AWS services used while running this solution. The following cost estimates are based on specific assumptions. You can reduce the cost to fit your needs by restricting the scope of your Firewall Manager policies with the Systems Manager parameters, or by customizing the default policies deployed by the solution.
As of this revision, the cost to run the solution in the US East (N. Virginia) Region, excluding automations for Shield Advanced, is approximately:
-
$1,733.00 per month for a small organization
-
$18,951.00 per month for a large organization
The cost to run the solution in the US East (N. Virginia) Region, including deployment of the automations for Shield Advanced, is approximately:
-
$938.82 per month for a small organization
-
$3,352.76 per month for a large organization
Note
These cost estimations
don’t include the monthly subscription cost of Shield Advanced.
For more information, refer to
AWS
Shield Advanced pricing
Costs are lower when including the automations for Shield Advanced because your Shield Advanced subscription includes many of the features of this solution, such as AWS WAF policies.
These costs are for the resources shown in the Sample cost tables. The total cost to run this solution depends on the following:
-
Number of policies installed
-
Number of accounts managed
-
Number of rule sets and web ACLs installed
-
Number and invocation duration of Lambda functions
-
Number of EventBridge events published
-
Number of Shield protections configured
We recommend creating a
budget
through
AWS
Cost Explorer
Sample cost tables
The following tables provide a sample cost breakdown for deploying this solution with the default parameters in the US East (N. Virginia) Region for one month.
Cost per month for a small organization - Primary stack
Assumptions:
-
Accounts: 12 accounts across 2 OUs
-
Number of AWS Regions: 3
-
Subscription to AWS Shield Advanced: No
-
Number of policies: 13
-
CloudFront global policy: AWS WAF global policy ($100 × 1 global policy)
-
Regional policies:
-
AWS WAF Regional policy ($100 × 3 Regions)
-
Security group content audit policy ($100 × 3 Regions)
-
Security group usage audit policy ($100 × 3 Regions)
-
DNS Firewall policy ($100 × 3 Regions)
-
-
Note
The following cost
estimate doesn't account for a subscription to AWS Shield Advanced. With the Shield Advanced subscription, the AWS WAF
protection policy cost and the AWS WAF web ACL and rules cost
are included. For additional information, refer to the
AWS Firewall Manager pricing
| Components | Quantity | Accounts | $/month [USD] | Monthly Total [USD] |
|---|---|---|---|---|
| AWS Firewall Manager | ||||
| Policies | 13 | N/A | $100.00 | $1,300.00 |
| AWS WAF web ACL | 4 | 12 | $5.00 | $240.00 |
| AWS WAF rules | 4 × 4 | 12 | $1.00 | $192.00 |
| Other AWS services* | ||||
| Other* | N/A | 12 | less than $1.00 | $1.00 |
| Total: | $1,733.00 | |||
| * Other AWS services include Lambda, Amazon SNS, EventBridge, CloudFormation StackSets, AWS Config, Route 53 Resolver DNS Firewall, Parameter Store, X-Ray, DynamoDB, and Amazon S3. | ||||
Cost per month for a small organization - Automations for Shield Advanced
Assumptions:
-
Includes all costs for a small organization deploying the automations for Shield Advanced templates
-
Costs for AWS WAF protection policies, web ACLs, and rules are included in an Shield Advanced subscription, so they are excluded from this calculation. For additional information, refer to AWS Firewall Manager pricing
. -
Accounts: 12 accounts
-
Number of AWS Regions: 1
-
Subscription to Shield Advanced: Yes
-
Number of regional Shield Advanced protections: 20
-
Number of global Shield Advanced protections: 2
Cost details:
-
AWS Config continuous recording: Enabled for Shield Advanced protections
-
Configuration items ($0.003 per configuration item × 22 Shield Advanced protections × 2 configuration changes)
-
AWS Config rule evaluations ($0.001 per rule evaluation × 22 Shield Advanced protections × 2 configuration changes)
-
-
Route 53 health checks ($0.50 per health check per month × 3 health checks × 22 Shield Advanced protections)
-
CloudWatch metric alarms ($0.10 per alarm metric × 22 Shield Advanced protections × 2 metric alarms)
-
Lambda:
-
Function requests ($0.20 per 1M requests × (44 configuration item evaluations + 22 remediations + 30 time-based evaluations))
-
Function duration ($0.0000000167 per 1ms × 150,000 ms × 96 invocations)
-
Note
The following cost estimate only accounts for AWS Config continuous recording costs
related to Shield Advanced resource types. These costs might vary depending on the type of
recording enabled and the resources being recorded by AWS Config in your accounts. For
additional information, refer to the AWS Config pricing page
| Components | Quantity | Pricing [USD] | Monthly Total [USD] |
|---|---|---|---|
| AWS Config | |||
| Configuration items | 22 | $0.003 per configuration item delivered | $0.132 |
| AWS Config rule evaluations | 44 | $0.001 per rule evaluation | $0.044 |
| Route 53 | |||
| Health checks | 66 | $0.50 per health check per month | $33.00 |
| CloudWatch | |||
| Metric alarms | 44 | $0.10 per alarm metric per month | $4.40 |
| Amazon SQS | |||
| FIFO queue | 1 | First 1 million requests/month are free $0.50 per million requests thereafter |
AWS Free Tier |
| Lambda | |||
| Function duration | 150,000 ms | $0.0000000167 per 1 ms | $0.24 |
| Function requests | 96 | $0.20 per 1M requests | AWS Free Tier |
| X-Ray | |||
| Tracing | ~100 traces recorded with default 5% sampling rate | $0.000005 per trace | < $ 0.01 |
| Total | $37.82 | ||
Cost per month for a large organization - Primary stack
Assumptions:
-
Accounts: 150 accounts across 20 OUs
-
Number of AWS Regions: 10
-
Subscription to AWS Shield Advanced: No
-
Number of policies: 41
-
Global policy: AWS WAF global policy ($100 × 1 global policy)
-
Regional policies:
-
AWS WAF Regional policy ($100 × 10 AWS Regions)
-
Security group content audit policy ($100 × 10 Regions)
-
Security group usage audit policy ($100 × 10 Regions)
-
DNS Firewall policy ($100 × 10 Regions)
-
-
Note
The following cost
estimate doesn't account for a subscription to AWS Shield Advanced. With the Shield Advanced subscription, the AWS WAF
protection policy cost and the AWS WAF web ACL and rules cost
are included. For additional information, refer to the
AWS Firewall Manager pricing
| Components | Quantity | Accounts | $/month [USD] | Monthly Total [USD] |
|---|---|---|---|---|
| AWS Firewall Manager | ||||
| Policies | 41 | N/A | $100.00 | $4,100.00 |
| AWS WAF web ACL | 11 | 150 | $5.00 | $8,250.00 |
| AWS WAF rules | 4 × 11 | 150 | $1.00 | $6,600.00 |
| Other AWS services | ||||
| Other* | N/A | 150 | less than $1.00 | $1.00 |
| Total: | $18,951.00 | |||
| *Other AWS services include Lambda, Amazon SNS EventBridge, CloudFormation StackSets, AWS Config, Route 53 Resolver DNS Firewall, Parameter Store, X-Ray, DynamoDB, and Amazon S3. | ||||
Cost per month for a large organization - Automations for Shield Advanced
Assumptions:
-
Includes all costs for a small organization deploying the automations for Shield Advanced templates.
-
Costs for AWS WAF protection policies, web ACLs, and rules are included in a Shield Advanced subscription, so they are excluded from this calculation. For additional information, refer to Firewall Manager pricing
. -
Accounts: 150 accounts
-
Number of AWS Regions: 1
-
Subscription to Shield Advanced: Yes
-
Number of regional Shield Advanced protections: 200
-
Number of global Shield Advanced protections: 5
Cost details:
-
AWS Config continuous recording: Enabled for Shield Advanced protections
-
Configuration items ($0.003 per configuration item × 205 Shield Advanced protections × 2 configuration changes)
-
AWS Config rule evaluations ($0.001 per rule evaluation × 205 Shield Advanced protections × 2 configuration changes)
-
-
Route 53 health checks ($0.50 per health check per month × 3 health checks × 205 Shield Advanced protections)
-
CloudWatch metric alarms ($0.10 per alarm metric × 205 Shield Advanced protections × 2 metric alarms)
-
Lambda:
-
Function requests ($0.20 per 1M requests × (410 configuration item evaluations + 205 remediations + 30 time-based evaluations))
-
Function duration ($0.0000000167 per 1 ms × 150,000 ms × 645 invocations)
-
Note
The following cost estimate only accounts for AWS Config continuous recording costs
related to Shield Advanced resource types. These costs might vary depending on the type of
recording enabled and the resources being recorded by AWS Config in your accounts. For
additional information, refer to the AWS Config pricing page
| Components | Quantity | Pricing [USD] | Monthly Total [USD] |
|---|---|---|---|
| AWS Config | |||
| Configuration items | 205 | $0.003 per configuration item delivered | $0.23 |
| AWS Config rule evaluations | 410 | $0.001 per rule evaluation | $0.41 |
| Route 53 | |||
| Health checks | 615 | $0.50 per health check per month | $307.50 |
| CloudWatch | |||
| Metric alarms | 410 | $0.10 per alarm metric per month | $41.00 |
| Amazon SQS | |||
| FIFO queue | 1 | First 1 million requests/month are free $0.50 per million requests thereafter |
AWS Free Tier |
| Lambda | |||
| Function duration | 150,000 ms | $0.0000000167 per 1 ms | $1.62 |
| Function requests | 645 | $0.20 per 1M requests | AWS Free Tier |
| X-Ray | |||
| Tracing | ~650 traces recorded with default 5% sampling rate | $0.000005 per trace | < $ 0.01 |
| Total | $351.76 | ||
