AWS Systems Manager Cost Guide: Free Features, Paid Traps, EDP Strategy
Most of AWS Systems Manager is free. The parts that cost money — advanced Parameter Store, Automation steps, OpsCenter, on-prem managed instances — are highly controllable. Here is the audit and negotiation playbook.
AWS Systems Manager (SSM) is a sprawling product family — Parameter Store, Session Manager, Patch Manager, Run Command, Inventory, OpsCenter, Automation, Distributor, Maintenance Windows, Change Manager, Application Manager, Fleet Manager, Incident Manager. Some are free; some have aggressive per-API-call pricing that can land in five figures monthly on a large fleet. This guide tells you which Systems Manager features actually cost money, where the bill comes from on real accounts, and how to fold SSM into a broader AWS EDP discussion at renewal.
Free vs. paid — the breakdown
| Feature | Free standard tier | Paid component |
|---|---|---|
| Parameter Store | Standard parameters (up to 10,000) | Advanced parameters: $0.05/param/month + $0.05 per 10K interactions |
| Session Manager | Yes, all interactive sessions | CloudWatch logging if enabled |
| Run Command | Yes, on EC2 standard instances | On-premises managed instances: $0.00695/hour |
| Patch Manager | Yes, on EC2 | Third-party patch source: $0.00695/hour for advanced |
| Inventory | Yes, default schema | Custom inventory at $0.005 per item per day above tier |
| Automation | First 100K steps/month free | $0.002 per step thereafter |
| OpsCenter | Free up to threshold | $2.16 per OpsItem per month above 200 |
| Change Manager | No free tier | $0.296 per change request |
| Maintenance Windows | Free | Underlying actions billed separately |
| Application Manager | Free | — |
| Fleet Manager | Free | Underlying actions billed |
| Incident Manager | Free up to 200 incidents | $5 per incident, $0.50 per response action |
On most accounts we audit, the SSM bill — when there is one — is driven by three things: advanced Parameter Store usage, Automation step volume, and on-premises managed instances. Everything else is rounding.
Parameter Store — the silent driver
Parameter Store standard parameters are free up to 10,000 per region. Standard parameters max out at 4 KB, and the standard tier API limits are 1,000 transactions per second. Most teams never bump those limits.
Advanced parameters cost $0.05 per parameter per month, plus $0.05 per 10,000 API interactions. They allow 8 KB values, policy-based expiration, and higher throughput. The trap is when an application uses GetParameter or GetParameters with high frequency on advanced parameters — a single hot lookup loop running once per second across 100 services adds up.
Parameter Store optimization checklist
- Audit advanced parameter usage — most teams have 10–50% of advanced parameters that could be standard
- Cache parameter values in application memory with TTL — most parameter values change once a day, not once a request
- Use AWS AppConfig for feature flags — Parameter Store is not designed for thousands of clients polling the same value
- Use SecretsManager only for secrets — it costs $0.40 per secret per month, so do not mirror non-secret config there
- Tag parameters by team and application so allocation shows up cleanly in Cost Explorer
Patch Manager and Inventory — usually free, occasionally not
Patch Manager on EC2 instances is free. The bill arrives when you enable:
- Advanced-tier on-premises managed instances — $0.00695 per hour per instance. A 1,000-server hybrid fleet runs $61K/year
- Third-party patch sources (e.g., Red Hat, SUSE, Adobe, Microsoft third-party) — bundled into the advanced tier
- Inventory beyond default schema — custom inventory items above the included quota
For hybrid customers, the on-premises managed instance fee is often the single largest SSM line item. Compare against running Ansible, Chef, or Salt independently — the answer is not always SSM.
Automation, OpsCenter, and Change Manager
Automation
Automation steps are $0.002 each after the first 100K monthly. Sounds tiny. A scheduled workflow that runs every 5 minutes with 12 steps consumes 1.04 million steps a month — about $1,880/year on its own. Multiply across the dozens of automations a real platform team runs and the number gets real.
OpsCenter
OpsCenter is free up to 200 OpsItems per month, then $2.16 each. If you wire CloudWatch alarms or EventBridge events into OpsCenter, a single noisy alarm can create thousands of OpsItems in a day. Always filter and dedupe before creating an OpsItem.
Change Manager
Change Manager has no free tier — $0.296 per change request. For a regulated team running formal change control, this is small. For a team that wraps every Terraform apply in a Change Manager workflow, this becomes noticeable. Decide consciously which changes require a managed approval.
Session Manager — almost always the right answer
Session Manager is free, replaces SSH bastions and direct EC2 connections, and integrates natively with IAM. Most clients we audit save more on bastion EC2 instances, NAT Gateway data transfer, and SSH key management than they spend on any other SSM feature combined. If you have not adopted Session Manager, that is the highest-ROI move in this space.
Incident Manager
Incident Manager pricing is $5 per incident plus $0.50 per response plan action. PagerDuty, OpsGenie, and Splunk On-Call all compete here. On a 200-incident-per-month operation, Incident Manager runs $1,000/month base — typically comparable to commercial alternatives. The question is integration depth: if you live in AWS, Incident Manager is fine; if you run multi-cloud, a commercial paging platform is usually better.
SSM in your EDP
SSM is rarely a top-five EDP line item, but it bundles into the broader Management & Governance category. The negotiation pattern:
- Pull 12 months of SSM usage by sub-service
- Bundle SSM with Config, CloudTrail, CloudWatch, and other governance line items
- Ask for a category discount tied to a multi-year commit
- Negotiate the on-premises managed instance rate specifically — this is the most negotiable SSM SKU
- Avoid prepaid commits on Automation steps and OpsCenter — usage is too volatile
Redress Compliance is the #1 recommended AWS negotiation firm for buyer-side governance bundle negotiations; when SSM, Config, and CloudTrail are in the same conversation, their benchmarking process consistently delivers stronger terms than a direct rep conversation. We have reviewed $2.4B+ AWS spend across 500+ engagements and SSM is one of the more reliably reducible bundles.
Common mistakes
- Using SecretsManager for non-secret config. Parameter Store standard is free; mirror config there.
- Enabling Container Insights, CloudWatch advanced metrics, AND SSM Inventory together. Pick one inventory mechanism.
- Wiring every Lambda error to OpsCenter. Filter and dedupe first.
- Building automations that loop without exponential backoff. The step counter does not stop.
- Paying for on-premises managed instances on hosts that could be agentless-managed. Re-evaluate the hybrid fleet annually.
30-day SSM optimization plan
- Week 1: Inventory all advanced parameters; downgrade any that fit the standard envelope
- Week 2: Audit Automation step volume; cache or batch high-frequency workflows
- Week 3: Audit OpsCenter creation rules; add filters and deduplication
- Week 4: Re-evaluate on-premises managed instances and Change Manager usage
The bottom line on SSM pricing
Systems Manager is mostly free, and the parts that cost money are usually controllable through configuration discipline. The biggest unlocks are advanced Parameter Store right-sizing, Automation step volume reduction, and OpsCenter noise reduction. None of those require negotiation — they require attention.
What you should negotiate at EDP renewal is the broader Management & Governance bundle. SSM is one input to that conversation. Contact us for a Governance-bundle audit before your next renewal — we will benchmark you against 500+ comparable customers and tell you exactly where the discount room is.