Compliance Cost Estimates
Every SOC 2 guide tells you to enable GuardDuty, Security Hub, Config, Macie, and Audit Manager. Almost none of them tell you what that costs.
This page gives real cost estimates at three scales and shows which controls are expensive enough to plan around.
AWS pricing changes. These figures are representative estimates — verify current prices at aws.amazon.com/pricing and use the AWS Pricing Calculator for your specific workload.
Cost by Service
AWS CloudTrail
| Trail type | Cost |
|---|---|
| First management events trail per region | Free |
| Additional management event trails | $2.00 per 100,000 events |
| S3 data events | $0.10 per 100,000 events |
| Lambda data events | $0.10 per 100,000 events |
Watch out for S3 data events. If you enable data events on a high-traffic S3 bucket (an image CDN, log archive, etc.), costs scale fast. A bucket with 1 billion GET requests/month = $1,000/month in CloudTrail data events alone.
Mitigation: Use Advanced Event Selectors to include only PutObject and DeleteObject on buckets containing customer data, not GetObject on read-heavy public buckets.
Typical cost (1 account, management events only): ~$0–$10/month Typical cost (with targeted data events): ~$20–$150/month
Amazon GuardDuty
GuardDuty pricing is based on volume of log data analyzed:
| Data source | Price |
|---|---|
| CloudTrail management events | $4.00/million events (first 500M) |
| CloudTrail S3 data events | $0.80/million events |
| VPC Flow Logs | $1.00/GB (first 500 GB), $0.50/GB thereafter |
| DNS logs | $1.00/GB |
| EKS audit logs | $0.60/million events |
| Runtime monitoring (ECS/EKS/EC2) | $0.025 per vCPU-hour |
| Lambda network activity | $1.00/million invocations |
| RDS login activity | $0.30 per instance per month |
The 30-day free trial is per account per region. In a multi-account org, each account gets its own trial.
| Scale | Monthly estimate |
|---|---|
| 1 account, light traffic, no runtime monitoring | $20–$80 |
| 1 account, moderate traffic, EKS runtime monitoring (20 vCPU) | $150–$400 |
| 5 accounts, moderate traffic | $500–$1,500 |
| 10+ accounts with full data sources enabled | $1,500–$5,000+ |
Cost optimization: Disable data sources you don't need for your threat model. If you don't use Lambda, disable Lambda network monitoring. If you have no EKS clusters, disable EKS protection.
Reference: GuardDuty pricing →
AWS Security Hub
| Item | Price |
|---|---|
| First 10,000 findings ingested per account per month | Free |
| 10,001–500,000 findings | $0.0030 per finding |
| 500,001+ findings | $0.0010 per finding |
| AWS Config rule evaluations | $0.0010 per evaluation |
| Security standards checks | Included |
Small orgs rarely exceed the free tier. Security Hub only charges for findings ingested from non-AWS sources (e.g., third-party security tools) once above 10k/month.
| Scale | Monthly estimate |
|---|---|
| 1 account, AWS sources only | $0–$30 |
| 5 accounts, AWS sources only | $10–$80 |
| 10+ accounts with third-party integrations | $80–$300 |
Reference: Security Hub pricing →
AWS Config
Config charges for configuration items recorded and rule evaluations:
| Item | Price |
|---|---|
| Configuration items recorded (per item) | $0.003 |
| Config rule evaluations | $0.001 per evaluation |
Config is often the biggest surprise. In an active account:
- Each resource change = 1 configuration item recorded
- A deployment that updates 50 resources = 50 configuration items = $0.15
- In a busy account doing 10 deployments/day: 500 items/day × 30 days = 15,000 items = $45/month just for recording
- With 50 rules each re-evaluating daily: 1,500 evaluations/day × 30 = 45,000 evaluations = $45/month for rules
| Scale | Monthly estimate |
|---|---|
| 1 account, low deployment frequency | $10–$40 |
| 1 account, active CI/CD with many resources | $60–$200 |
| 5 accounts, active development | $200–$700 |
| 10+ accounts, full org coverage | $500–$2,000 |
Cost optimization: Exclude high-churn resource types that don't affect SOC 2 controls (e.g., EC2 spot instances that cycle constantly). Use recording groups to record only the resource types that matter for compliance.
Reference: Config pricing →
Amazon Macie
| Item | Price |
|---|---|
| S3 bucket inventory and monitoring | $1.00 per bucket per month (first 1,000 buckets) |
| Sensitive data discovery (per GB scanned) | $1.00 per GB (first 1 GB free per job) |
Macie is optional for SOC 2 — it's most relevant if you're storing PII or PHI and need evidence of sensitive data controls. It's required for HIPAA, but SOC 2 auditors don't mandate it.
The sensitive data discovery cost scales with data volume. If you have a 10 TB S3 archive and run a classification job: $10,240 for that one job.
Mitigation: Run discovery jobs only on buckets that contain or might contain customer data. Use S3 object tagging to identify in-scope buckets and scope Macie jobs accordingly.
| Scale | Monthly estimate |
|---|---|
| 10 buckets, no discovery jobs | $10 |
| 50 buckets, quarterly discovery on 500 GB | $50–$150/quarter |
| 200 buckets, monthly discovery on 5 TB | $5,200/month |
Reference: Macie pricing →
AWS Audit Manager
Audit Manager automates evidence collection and maps it to SOC 2 TSC criteria. It's the most expensive optional service on this list and is often skipped at smaller companies in favour of manual evidence collection.
| Item | Price |
|---|---|
| Active assessment | $1.25 per assessment per day |
| Resources in scope | $0.50 per resource per day |
A typical SOC 2 assessment with 100 AWS resources in scope running for 180 days:
- Assessment: 1 × $1.25 × 180 = $225
- Resources: 100 × $0.50 × 180 = $9,000
- Total: ~$9,225 for the assessment period
This is often more expensive than the manual effort to collect evidence — which is why Audit Manager makes economic sense only at larger scale (many accounts, many audits per year, or audit manager replacing a compliance platform like Vanta/Drata).
Reference: Audit Manager pricing →
Total Cost Estimates by Company Size
These are all-in estimates including CloudTrail, GuardDuty, Security Hub, Config, and VPC Flow Logs (Macie and Audit Manager excluded unless noted).
| Profile | AWS accounts | Monthly estimate | Notes |
|---|---|---|---|
| Seed/Series A startup | 1–2 accounts, light traffic | $100–$300/month | GuardDuty dominates; Config low due to few resources |
| Series B | 3–5 accounts, active development | $400–$900/month | Config costs rise with deployment frequency |
| Series C / growth | 6–15 accounts, multi-region | $1,000–$2,500/month | GuardDuty multi-account aggregation; consider runtime monitoring |
| Enterprise | 20+ accounts, full data sources | $3,000–$10,000+/month | Runtime monitoring and Macie add significantly |
Add ~$15,000–$60,000 for the audit firm fee (separate from AWS costs).
Cost Optimization Checklist
[ ] Use Advanced Event Selectors in CloudTrail — exclude GetObject on read-heavy public buckets
[ ] Scope GuardDuty data sources — disable runtime monitoring on non-sensitive workloads
[ ] Use Config recording groups — exclude high-churn transient resource types
[ ] Scope Macie jobs — only run on buckets tagged as containing customer data
[ ] Use GuardDuty 30-day trial strategically — start trial close to audit period, not a year before
[ ] Enable Audit Manager only if audit costs justify it (typically 10+ accounts or 3+ audits/year)
[ ] Consolidate to fewer accounts — each account multiplies fixed per-account costs
[ ] Use Savings Plans / Reserved pricing — does not apply to these services (all on-demand)
[ ] Set CloudWatch billing alarms at 80% and 100% of expected monthly compliance spend
Set a billing alarm:
aws cloudwatch put-metric-alarm \
--alarm-name ComplianceSpendAlert \
--metric-name EstimatedCharges \
--namespace AWS/Billing \
--statistic Maximum \
--period 86400 \
--threshold 500 \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:<region>:<account>:billing-alerts \
--dimensions Name=Currency,Value=USD
What the Audit Firm Costs
For completeness — AWS tooling is only part of the spend.
| Firm type | Type I | Type II |
|---|---|---|
| Big 4 / Top 10 CPA firm | $40,000–$100,000 | $75,000–$200,000+ |
| Mid-market CPA firm | $20,000–$45,000 | $35,000–$80,000 |
| Specialist SOC 2 firm | $12,000–$25,000 | $22,000–$50,000 |
Compliance automation platforms (Vanta, Drata, Secureframe, Tugboat Logic) run $12,000–$40,000/year and include evidence collection, policy templates, and auditor collaboration portals. They can reduce audit firm fees by 20–40% by delivering cleaner evidence packages.
Reference: AWS Pricing Calculator → · GuardDuty pricing → · Config pricing →