EDP NegotiationSavings Plans OptimizationReserved Instances StrategyEC2 Right-SizingS3 Cost ReductionEgress NegotiationMigration CreditsSupport Tier AdvisoryMulti-Cloud LeverageBedrock AI PricingEDP NegotiationSavings Plans OptimizationReserved Instances StrategyEC2 Right-SizingS3 Cost ReductionEgress NegotiationMigration CreditsSupport Tier AdvisoryMulti-Cloud LeverageBedrock AI Pricing
AWS Pricing · Security & IAM

AWS security and IAM pricing, negotiated.

By AWSNegotiations Practice·Published ·Last updated ·8 min read

GuardDuty, Security Hub, Macie, KMS, WAF, Shield Advanced, and Inspector commercial terms — benchmarked across 500+ AWS engagements and $2.4B+ in reviewed spend.

Contact Us →How we work
$2.4B+
AWS spend reviewed
500+
Engagements
38%
Avg reduction
$340M+
Documented savings
Overview

Security spend is the line nobody questions
until it's eight figures.

AWS security and identity services are the easiest line items on an AWS bill to ignore — until they aren't. GuardDuty, Security Hub, Macie, Detective, Inspector, KMS, WAF, Shield Advanced, Network Firewall, and Verified Permissions each carry their own usage-based pricing models, their own scaling characteristics, and their own optimization levers. Most enterprise customers turn them on for compliance, then discover two years later that security tooling represents 8% to 14% of their total AWS spend and is growing faster than the rest of the bill.

This page documents how each of AWS's security and identity services is priced, where the most common cost overruns occur, and what commercial levers are available inside an Enterprise Discount Programme (EDP), Private Pricing Addendum (PPA), or annual Shield Advanced subscription. We have benchmarked AWS security pricing across financial services, healthcare, public sector, SaaS, and retail customers — a representative sample of every regulatory profile that drives security tooling adoption at scale.

For customers spending more than $300K per year on AWS security services, the commercial conversation is meaningfully different. Volume-based service discounts, multi-account aggregation, finding ingestion caps, and Shield Advanced PPA pricing all become negotiable. For customers under that threshold, the optimization conversation is almost entirely about architecture and configuration. This page covers both.

Service-by-service

How each AWS security service is priced.

01GuardDuty — usage-based detection+
GuardDuty bills on the volume of CloudTrail management events, VPC Flow Logs, DNS query logs, S3 protection data events, EKS audit logs, Malware Protection scans, and RDS Protection login events. The single biggest line item is almost always S3 data event analysis on large estates. We typically see 40%+ savings by sampling, scoping, or excluding non-sensitive buckets. EDP volume tiers kick in at material spend.
02Security Hub — per-control-evaluation+
Security Hub bills on security checks (control evaluations) and finding ingestion events per region per account. In a 200-account organization with all CIS, PCI, and AWS Foundational benchmarks enabled, evaluation cost compounds quickly. We recommend disabling overlapping standards, scoping to relevant accounts, and using Security Hub's cross-region aggregation rather than multi-region duplication.
03Macie — sensitive data discovery+
Macie charges per GB scanned for sensitive data discovery jobs and per S3 bucket for ongoing inventory. The default configuration on a multi-petabyte S3 estate is financially catastrophic. Sampling-based scans, managed data identifiers tuned to your actual data types, and bucket exclusions for non-PII archive tiers typically cut Macie spend by 60% to 80%.
04KMS — per-request and per-CMK+
KMS charges per customer master key per month plus per 10,000 API requests. Symmetric customer-managed keys are inexpensive individually but chatty applications doing per-record encrypt/decrypt without caching can drive KMS request bills into six figures. Data key caching, envelope encryption, and key consolidation are the standard optimization levers. Asymmetric and HSM-backed keys are materially more expensive — verify they are required.
05WAF and Shield Advanced+
WAF charges per web ACL, per rule, per million requests inspected, and per Bot Control / Captcha / Fraud Control add-on. Shield Advanced is a $3,000/month flat subscription per organization with usage-based data transfer fees during attacks. Shield Advanced is one of the most commonly negotiated AWS subscriptions — multi-year commits, organization-wide pricing, and attack-traffic credits are all PPA-eligible at higher spend tiers.
06Inspector, Detective, and Network Firewall+
Inspector charges per EC2 instance scanned, per Lambda function, per container image, and per assessment. Detective bills per GB of log volume ingested. Network Firewall bills per endpoint hour and per GB processed. All three are EDP-eligible. Detective is frequently overlapping with GuardDuty workflows — we recommend a clear ownership decision before enabling both at scale.
07IAM, IAM Identity Center, and Access Analyzer+
Core IAM is free. IAM Identity Center (SSO) is free as an identity store. IAM Access Analyzer external access analyzers are free; unused-access analyzers and custom policy checks are billed per IAM role per month and per policy check. AWS Private CA is one of the most expensive line items in the identity portfolio at $400/month per CA — consolidate or use the short-lived certificate mode for substantial savings.
Negotiation levers

What is actually negotiable.

1.

Volume tier pricing

GuardDuty CloudTrail and S3 data event volumes, Macie GB scanned, and Detective ingest all carry published volume tiers. At enterprise scale we routinely negotiate tier breakpoints lower than the public defaults inside the EDP.

2.

Shield Advanced PPA

Shield Advanced is a flat subscription at list, but Private Pricing Addendums for multi-year commits and organization-wide coverage are common at $1M+ AWS spend tiers, with attack-traffic credit pools negotiable on top.

3.

Multi-account aggregation

Security Hub, GuardDuty, and Macie all support delegated administrator accounts. Aggregating evaluation and ingest into a single account before billing materially changes the EDP-eligible spend profile and can simplify the negotiation.

Optimization checklist

Where the quick wins are.

Architecture-level

  • Sample, scope, or exclude non-sensitive S3 buckets from GuardDuty S3 protection and Macie scans.
  • Disable overlapping Security Hub standards (CIS vs. AWS Foundational) where controls duplicate.
  • Enable data key caching for chatty KMS workloads — typical 70%+ request reduction.
  • Consolidate AWS Private CA instances and use short-lived certificate mode where possible.
  • Aggregate findings to a single delegated administrator account to reduce per-region replication.

Commercial

  • Roll all security services into EDP-eligible commitment to deepen the effective discount.
  • Negotiate Shield Advanced subscription terms and attack-traffic credit pool at renewal.
  • Push GuardDuty and Macie volume tier breakpoints into the PPA at $300K+ annual category spend.
  • Bundle Inspector and Detective into a single commercial conversation rather than negotiating each separately.
Related services

Often combined with security pricing.

Service

EDP Negotiation

Roll security spend into your Enterprise Discount Programme commitment for a deeper effective discount.
Pricing

EC2 & Compute Pricing

Inspector EC2 scanning charges compound with compute footprint. Right-size compute first, then scope Inspector.
Pricing

S3 & Storage Pricing

S3 data event volume is the single largest GuardDuty cost driver. Storage architecture and security pricing are inseparable.

AWS security spend
is negotiable.

500+ engagements. $2.4B+ AWS spend reviewed. We benchmark your security tooling commercials in 5 business days.

Contact Us →See our approach
Related reading

Continue with the negotiation playbook.

See the full Security & IAM Pricing guide, or browse all services and case studies.