AWS Security Cost Strategy: The Complete 2026 Pricing and Negotiation Guide

This guide consolidates seven years of EDP negotiation work across $2.4B+ of reviewed AWS spend into a single reference on AWS security services pricing. Every dollar mentioned has been validated against actual customer bills. Every negotiation lever has been pulled in real renewals.

The AWS security service landscape

AWS publishes 30+ services under the security and compliance umbrella. Eight of them dominate enterprise bills:

Eight services, 16 distinct pricing dimensions, no public discount schedule. The optimisation playbook has to address each one separately.

GuardDuty: the largest line item, the most levers

GuardDuty bills on three independent dimensions: VPC Flow Logs analysed, CloudTrail events analysed, and DNS queries analysed. S3 protection, EKS protection, and Malware Protection add per-event or per-scan charges.

• VPC Flow Logs. Approximately $1.00/GB for the first 500 GB/month, dropping to $0.25/GB above 2,500 GB/month.
• CloudTrail events. Approximately $4.00 per million events.
• DNS queries. Approximately $4.00 per million queries.
• S3 protection. Per million events.
• Malware Protection. Per GB scanned.

GuardDuty's biggest hidden cost is the VPC Flow Logs dimension at scale. A single high-traffic VPC can generate 50+ GB/day, or $35K+/year of GuardDuty cost from one VPC. See our GuardDuty pricing optimization guide for the full playbook.

Security Hub: per-check pricing is the trap

Security Hub bills approximately $0.0010 per security check evaluation and approximately $0.00003 per ingested finding above 10,000 findings per month.

The default activation enables all CIS Benchmark, AWS Foundational Security Best Practices, and PCI DSS standards. For a 50-account organisation with 10,000 resources, this can produce 30M+ check evaluations per month, or $30K+ in Security Hub cost. Most enterprises do not need every standard enabled in every account.

Full breakdown: Security Hub cost analysis.

AWS WAF: ACL count is the silent driver

WAF bills $5/month per Web ACL, $1/month per rule, and $0.60 per million requests. For most customers, the ACL and rule charges dwarf the request charges.

Common mistake: one Web ACL per CloudFront distribution, with 30+ distributions. That is $150/month in ACL fees alone before any traffic. WAF's CloudFront-attached ACLs can be shared across distributions; this is rarely the default architecture.

See our WAF pricing strategy piece for the full optimisation playbook.

Shield Advanced: the $36K floor

Shield Advanced is a flat $3,000/month commitment with a one-year subscription. Per-organisation, not per-account.

What it includes: DDoS response team access, cost protection for legitimate traffic spikes during attacks, WAF included in the price.

What it does not include: Shield Standard is automatic and free; most customers do not need Shield Advanced unless they have a credible DDoS threat model or compliance requirement. The cost protection is real but rarely triggered.

Decision framework: Shield Advanced vs Standard.

KMS: keys are cheap, requests are not

KMS bills $1/month per customer master key and $0.03 per 10,000 requests. Multi-region keys cost $2/month.

Where it adds up: high-throughput envelope encryption on S3, EBS, RDS, and DynamoDB uses Data Key generation, which counts as KMS requests. A customer storing 500M small S3 objects encrypted with KMS-on-S3 may incur $15K+/year in KMS request cost on object writes alone.

Mitigation: KMS pricing optimization. Includes the SSE-S3 versus SSE-KMS trade-off, S3 Bucket Keys to cut KMS requests by 99%, and key rotation cost implications.

CloudTrail: the data events trap

CloudTrail management events for the first trail are free. Additional trails cost $2 per 100,000 events. Data events (S3 object-level, Lambda invocations, DynamoDB Streams) cost $0.10 per 100,000 events and can produce massive bills.

Common scenario: enable S3 data events on a bucket with 1B object reads per day. CloudTrail cost: $30K/month. Most customers do not need full data event logging across all buckets; targeting specific buckets with compliance scope is sufficient.

See our CloudTrail cost reduction guide for the targeting playbook.

Macie: per-GB pricing is the sticker shock

Macie bills approximately $1/GB for sensitive data discovery and approximately $0.10 per 1,000 objects evaluated. A 500 TB S3 estate can run $500K+ in initial discovery if not scoped.

Optimisation: schedule recurring jobs only on buckets containing PII or PCI scope, use sampling rather than full coverage, exclude buckets without sensitive data via Macie's classification scope.

Full playbook: Macie data discovery costs.

Inspector: per-resource scanning

Inspector v2 bills approximately $1.50 per EC2 instance per month for continuous scanning, $0.09 per container image push, and $0.30 per Lambda function per month.

Largest line item at most enterprises: ECR image scanning on CI/CD pipelines that push 1,000+ images per day. That is $3K/day or $90K/month if not scoped.

Optimisation playbook: Inspector pricing guide.

The EDP overlay on security services

EDP tier discounts apply to all eight security services, but the application is uneven. AWS sellers typically apply the headline EDP discount uniformly. In practice, several security services have negotiable line items that sit outside the headline discount.

These are not advertised discounts. They emerge from competitive pressure (Microsoft Defender for Cloud, Wiz, Palo Alto Prisma, CrowdStrike) and from buyer-side negotiation leverage.

Multi-product TCO: AWS native versus third-party CNAPP

Buyers should compare full AWS native security stack TCO against third-party CNAPP (Cloud-Native Application Protection Platform) vendors. Typical full-stack comparison at a $50M AWS spend customer:

AWS native is rarely cheapest at scale, but lock-in considerations and operational integration may favour it. The negotiation lever is real: a credible third-party CNAPP quote frequently unlocks AWS security service concessions in EDP cycles.

Region and architecture optimisations

Security service pricing varies by region. The common pattern: us-east-1 and us-west-2 are baseline, with frontier regions (Bahrain, Cape Town, Milan) at 15 to 35 percent premium. For multi-region customers, security services in expensive regions may merit consolidation.

Architecture optimisations that move the needle:

• S3 bucket-level CloudTrail data event filtering. Scope data events to compliance buckets only.
• VPC Flow Logs sampling. Reduces GuardDuty input volume by configurable percentage.
• Security Hub standards selection. Disable standards not relevant to your compliance regime.
• WAF ACL consolidation. Share ACLs across multiple CloudFront distributions.
• S3 Bucket Keys. Cuts KMS request volume by 99% on high-throughput buckets.
• Inspector exclusion lists. Skip ECR repositories that do not deploy to production.

Centralisation versus federation

Most enterprise security teams want centralised visibility (single Security Hub, single GuardDuty master, single CloudTrail trail). Cost considerations argue both ways:

• Centralisation pros. Volume tiers kick in faster, one team manages cost, easier to apply EDP discounts.
• Centralisation cons. Cross-account data transfer charges for log aggregation, single-tenancy assumptions break, blast radius for misconfiguration grows.

Most $50M+ AWS spend customers settle on a delegated administrator pattern with regional aggregation, which balances cost and operational risk.

Compliance frameworks and cost

Compliance regime drives security service spend more than threat model does. Indicative ranges per framework:

Negotiation implication: compliance-driven spend should be presented to AWS as a captive demand block with clear timeline and competitor positioning.

Common security spend audit findings

1. VPC Flow Logs sent to GuardDuty at full sample rate on dev and staging VPCs where threat detection has limited value.
2. Security Hub standards enabled in every region regardless of resource presence.
3. WAF Web ACLs configured one-per-distribution with no rule sharing.
4. Shield Advanced subscribed without a documented DDoS threat model.
5. SSE-KMS enabled on S3 buckets without Bucket Keys, inflating KMS requests 100x.
6. CloudTrail data events enabled bucket-wide instead of scoped to compliance buckets.
7. Macie classification jobs run continuously instead of on schedule.
8. Inspector ECR scanning enabled organisation-wide on non-production registries.

Average audit finds 35 to 60 percent of security service spend is recoverable without changing security posture.

The 90-day optimisation roadmap

1. Days 1-15: Pull 12 months of Cost Explorer data by service. Identify the top three security cost drivers.
2. Days 15-30: Audit GuardDuty and Security Hub configuration. Apply the highest-confidence cuts (Flow Log sampling, unused standards).
3. Days 30-45: Audit CloudTrail data events. Scope to compliance buckets only.
4. Days 45-60: Audit KMS usage. Enable S3 Bucket Keys.
5. Days 60-75: Audit WAF and Shield. Consolidate ACLs and validate Shield Advanced subscription.
6. Days 75-90: Build the negotiation case. Document recoverable spend, third-party alternatives, and competitive positioning.

Action checklist

1. Inventory all eight security services with current monthly spend.
2. Identify the top three cost drivers from Cost Explorer.
3. Apply the highest-confidence configuration cuts identified above.
4. Model AWS native versus Wiz or Palo Alto Prisma TCO.
5. Scope security services as a distinct negotiation track in your next EDP cycle.
6. Contact our advisory team for a security spend audit benchmarked against $2.4B+ of reviewed AWS spend.

Each of the eight services has a dedicated optimisation guide linked above. Start with the largest line item, fix the obvious misconfigurations, then negotiate the residual.

FedRAMP and government cloud security cost premium

AWS GovCloud (US-East and US-West) and the Secret Region carry materially different pricing for security services. The premium typically runs 20 to 50 percent above commercial regions for the same SKU, but the more important factor is service availability. Not all security services launch in GovCloud at parity with commercial regions. Macie, Inspector v2, and several Security Hub standards historically lagged GovCloud availability by 6 to 18 months. This affects compliance roadmap planning more than dollar cost.

For ITAR-regulated workloads in GovCloud, third-party CNAPP vendors offer FedRAMP High-authorised alternatives that may unblock visibility gaps. The TCO comparison is rarely apples-to-apples; document the security control mapping before pricing the alternative.

Logs aggregation as a hidden security cost

CloudWatch Logs, S3 log archival, and centralised SIEM ingestion are not technically "security services" but are paid for as part of the security program. A typical enterprise spends 20 to 40 percent of its total security budget on log ingestion and retention, not on the detection services themselves.

Cost drivers worth quantifying separately:

• VPC Flow Logs S3 archival. 5 GB/day per VPC at $0.023/GB-month and 1-year retention.
• CloudTrail S3 archival. Free for the first trail but multi-region multi-account aggregation adds storage cost.
• ALB and CloudFront access logs. High-traffic estates produce TB-per-day volume.
• GuardDuty findings exported to SIEM. Per-event SIEM ingestion at $0.40 to $5.00 per GB depending on vendor.
• Config history. Configuration item recording at $0.003 per item, multiplied by resource churn.

The 90-day log audit is often the single highest-yield optimisation we run for enterprise security buyers, frequently recovering 30 to 50 percent of the log line items.

AWS Config: the silent security cost driver

AWS Config bills $0.003 per configuration item recorded plus $0.001 per Config rule evaluation. At an enterprise scale of 100,000 resources changing 2 to 5 times per day, Config can bill $40K to $90K per month before the rule evaluations on top.

Optimisation tactics:

• Use Config recording with the daily snapshot model for accounts not subject to continuous compliance requirements.
• Disable Config in non-production accounts unless your CSPM tool depends on it.
• Apply Config aggregator at the organisation level to consolidate billing rather than per-account aggregation.
• Audit Config Rules: many enterprises have 100+ rules, most of which duplicate Security Hub controls or third-party CNAPP coverage.

Security service tagging and chargeback

Most security services do not tag at the resource level (you cannot tag a Security Hub finding or a GuardDuty enable). Allocating security cost to product lines or business units therefore requires proxy methods:

• Allocate by source account, using AWS Organizations OU structure.
• Allocate by region for global services.
• Allocate by Cost Categories rules.

The mechanics are clunky but materially affect internal funding conversations. Without chargeback, security budget tends to live in central IT, which limits operational accountability and makes security cost optimisation a low-priority activity for product teams.

Renewal cycle timing

The optimal time to negotiate security services line items is 90 to 120 days before EDP renewal, with the audit complete and a credible third-party CNAPP quote in hand. Inside the final 30 days, AWS negotiating leverage drops because the renewal calendar pressure favours AWS.

Build the negotiation timeline backward from your EDP renewal date:

1. T-180 days: Begin the security spend audit.
2. T-150 days: Apply quick-win configuration optimisations.
3. T-120 days: Engage one or two third-party CNAPP vendors for quotes.
4. T-90 days: Begin AWS negotiation conversation with prepared comparison.
5. T-60 days: Negotiation pressure phase; AWS often makes meaningful concessions here.
6. T-30 days: Final terms and contract execution.

The same timing logic applies to standalone Shield Advanced renewal, which often falls outside the EDP window.

Detective and IAM Access Analyzer cost angles

Two adjacent services worth understanding even though they sit outside the top eight by spend. Detective bills approximately $2.00 per GB of ingested data with the first 1 TB free per account per month. For incident investigation workloads, this is genuinely useful, but enterprises that enable Detective organisation-wide without a defined use case routinely produce $10K+/month bills for a service they never query.

IAM Access Analyzer's external access analysis is free. The unused-access analysis tier (released 2024) bills approximately $0.20 per IAM role analysed per month and additional per-resource fees. For organisations with 50,000+ IAM roles, this becomes $10K+/month. The optimisation: scope unused-access analysis to a representative sample of accounts and roles rather than the full estate, particularly during initial discovery.

Building the security cost dashboard

Most enterprises do not have a unified security cost dashboard. The data is in Cost Explorer (security service line items), in Security Hub (control effectiveness), in third-party CSPM (alternative posture), and in the SIEM (downstream ingestion). Without aggregation, nobody owns the conversation.

The minimum viable dashboard should answer three questions: what is total security spend this quarter compared to last quarter; which service line items are growing fastest; and what is the cost per finding generated, and is the cost per finding improving over time.

Building this dashboard typically takes a security cost analyst two to four weeks. The ROI is significant: most enterprises identify 15 to 30 percent recoverable spend in the first quarter of dashboard use, before any vendor renegotiation conversation begins.

Organisational alignment: who owns security cost

Security cost optimisation falls between two stools: the security team owns the tools but not the budget, and the finance team owns the budget but not the tools. Without explicit ownership, security cost grows without scrutiny.

Best-practice ownership models:

• A FinOps lead embedded in the security function with mandate to challenge tool selection and configuration.
• Quarterly security spend reviews with the CFO and CISO jointly accountable.
• Cost allocation tags tied to product line P&Ls so security spend lands somewhere with a budget owner.
• Annual security stack rationalisation reviews comparing AWS native, third-party CSPM, and consolidated CNAPP TCO.

Vendor lock-in considerations

AWS native security services have low switching cost in absolute terms (you can disable Security Hub overnight) but high effective switching cost because of operational and data continuity. Findings history, suppression rules, automation playbooks, and team mental models all anchor to the current toolset.

When evaluating AWS native versus third-party CNAPP, factor in six to twelve months of historical findings data migration, three to six months of automation rebuild for any downstream playbooks, team retraining cost on the new tool, and the risk window where neither tool has full coverage during the transition. These soft costs often equal or exceed the first year of license fees. They do not invalidate consolidation but should be modelled honestly in the business case.

The board-level security cost narrative

Security cost grew at AWS approximately 35 percent year-over-year between 2020 and 2025 at most enterprises, well above the underlying AWS spend growth rate. Board-level conversations about cyber budget increasingly include AWS security line items as material.

Effective narratives we have seen work:

• Cost per finding. Track the trend; declining is good even if absolute spend grows.
• Mean time to remediate. Tie security investment to operational outcomes.
• Compliance audit cost reduction. Audit Manager evidence collection replaces manual audit cycles worth six figures.
• Risk-adjusted return on security investment. Docume