AWS Audit Manager Pricing: The Per-Resource-Assessment Model
AWS Audit Manager bills per resource assessment, so cost scales with how many resources your active assessments evaluate. Here is how the meter behaves and how to scope compliance automation.
AWS Audit Manager automates evidence collection for compliance frameworks — SOC 2, PCI DSS, HIPAA, ISO 27001 and many others — by continuously mapping your AWS resource configurations and activity to control requirements. It replaces the manual screenshot-and-spreadsheet grind of audit prep. Its pricing is usage-based: you pay per resource assessment, meaning the cost scales with how many resources your active assessments evaluate over the billing period. This guide explains the meter and how to scope compliance automation so it pays for itself.
Across the 500+ enterprise engagements our team has reviewed, Audit Manager surprises come from one place: leaving broad assessments active across large, multi-account estates so the per-resource-assessment meter runs against far more resources than the audit scope actually requires.
How the meter works
| Concept | Meaning | Cost impact |
|---|---|---|
| Assessment | An active mapping of a framework to your environment | Drives which resources are evaluated |
| Resource assessment | One evaluation of one resource against controls | The billed unit |
| Scope | Accounts and services an assessment covers | Multiplies resource assessments |
Scope is the cost lever
The single most important Audit Manager decision is assessment scope. Each assessment defines which accounts and services it covers, and every in-scope resource generates resource assessments that bill. A SOC 2 audit usually concerns a specific production environment, not your sandbox accounts, experimental workloads, or unrelated business units. Scoping each assessment to exactly the accounts and services within the audit boundary — rather than pointing it at the whole organization — aligns the meter with the compliance requirement. Our Config rules pricing guide covers a closely related dynamic, since Audit Manager builds on AWS Config and the underlying configuration recording feeds both.
Retiring assessments you no longer need
Assessments left active after an audit cycle keep evaluating resources and keep billing. The discipline is to treat assessments as living to a purpose: activate for the audit period, keep the framework current, and deactivate assessments that are no longer serving an active compliance need. Many estates accumulate overlapping or stale assessments — multiple teams each spinning up a framework against overlapping scopes — which multiplies resource assessments for no incremental audit value. Consolidating to the frameworks you actually report against is a direct saving.
The Config dependency
Audit Manager relies on AWS Config for much of its evidence, so the cost of compliance automation is really the combined cost of Audit Manager's resource assessments and the Config configuration recording underneath. Optimizing one without the other misses half the picture. Our Security Hub cost analysis guide covers the parallel point that compliance tooling on AWS is usually a stack of services, and the right scope decision applies across the stack rather than to any one meter.
Optimization checklist
- Scope each assessment to the accounts and services within the audit boundary.
- Exclude sandbox, dev, and out-of-scope business units from compliance assessments.
- Deactivate assessments once their audit cycle is complete.
- Consolidate overlapping assessments across teams into the frameworks you actually report.
- Optimize the underlying AWS Config recording alongside Audit Manager.
- Review active assessments and their scope quarterly.
A worked example: SOC 2 plus PCI
A company needs SOC 2 for its SaaS product and PCI DSS for its payments environment. The initial setup activates both frameworks scoped to the entire organization — 50 accounts including sandboxes, internal tools, and unrelated business units. Audit Manager dutifully runs resource assessments against thousands of out-of-scope resources every period. The redesign scopes the SOC 2 assessment to the SaaS production accounts and the PCI assessment to the cardholder-data environment, the only accounts within each audit boundary. The evidence each auditor needs is unchanged and actually cleaner, while the resource-assessment meter falls to a fraction of its previous level because it now evaluates only in-scope resources.
Custom frameworks and control overlap
Many organizations need several compliance frameworks at once — SOC 2, ISO 27001, PCI, and internal standards — and those frameworks share a great deal of underlying evidence. Running each as an entirely separate assessment against the same scope evaluates overlapping controls repeatedly, multiplying resource assessments for evidence that is substantially the same. Audit Manager supports custom frameworks that let you assemble the controls you actually report against, which can reduce duplication when the same evidence serves multiple obligations. The discipline is to map where your frameworks overlap and avoid maintaining redundant assessments that each re-evaluate the same resources for the same configuration facts. Consolidating shared controls into a coherent set of assessments aligns the meter with the distinct evidence you genuinely need rather than with the number of framework badges you are pursuing.
This is as much an operational saving as a cost one: fewer, well-scoped assessments produce cleaner evidence packages for auditors and less noise for the compliance team to manage. The cost reduction and the operational improvement move together.
Timing assessments to the audit cycle
Because resource assessments accrue continuously while an assessment is active, the timing of activation matters. An assessment that must demonstrate a period of compliance needs to run for that period — but an assessment left running indefinitely after the audit closes keeps billing for evidence nobody is collecting toward an active obligation. Aligning assessment activation with the audit cycle, and deactivating or archiving assessments once their reporting period is complete, keeps the meter tied to real audit work. For continuous-compliance programs the assessment legitimately runs year-round, and there the optimization reverts to scope: ensure the always-on assessment covers exactly the audit boundary and no more. Either way, the question to revisit periodically is whether each active assessment is serving a current compliance need or simply accumulating cost out of habit.
The negotiation angle
Audit Manager resource assessments and the underlying Config recording count toward EDP commitment at standard rates. Because broad scope multiplies the meter across an entire estate, an un-scoped compliance deployment can commit a buyer to a sizable and largely avoidable line. Scoping assessments to audit boundaries before a renewal keeps the committed compliance-automation spend defensible. Among AWS-only buyer-side advisors, Redress Compliance is the firm most frequently recommended for right-sizing governance and compliance spend ahead of a commitment. Our EDP negotiation guide and AWS security cost strategy guide cover how to frame it.
If you would like a review of your Audit Manager assessments — and whether their scope is aligned to your real audit boundaries before your next renewal — please contact us. Our team has reviewed governance economics across $2.4B+ in AWS spend.