1. Accelerator Pricing(link)
1.1. Overview(link)
The AWS Secure Environment Accelerator (ASEA) is available free of charge as an open source solution on GitHub. You are responsible for the cost of the AWS services enabled, configured, and deployed by the solution.
The ASEA solution enables, configures and deploys two types of AWS services: services leveraged by the ASEA itself to deliver its capabilities; and services orchestrated by the ASEA to help create a secure multi-account AWS foundation for your users and workloads.
The pricing for services leveraged by the ASEA are relatively consistent and small. The pricing for services orchestrated by the ASEA can vary dramatically based on the underlying architecture, services and features selected by a customer through the customizable configuration file.
Most of the provided example ASEA configuration files (except ultra-lite) build a highly available and scalable multi-datacenter environment with hyperscale routing and enterprise grade security worldwide, something that would cost tens of millions of dollars on-premises and still not achieve the same results.
As shown below, different configuration files can dramatically change the monthly cost of running the solution from $30/month, to $1500/month, to $2400/month, to over $3700/month. The price of the deployed solution is 100% dependent on what the customer deploys, and not on the Accelerator automation engine itself. While the example deployment(s) may appear expensive when used solely for testing in a personal account, they typically only represent a very small percentage of a production customers AWS spend. The examples were designed to minimize costs as a customer scales.
This document is designed to assist customers in understanding the pricing associated with operating the example ASEA configuration files. For full pricing details, please refer to each services pricing page.
1.2. Example Configuration File Pricing(link)
The pricing found in this document is provided as an example only. Pricing represents reasonably steady state, minimal activity or traffic flows, and only includes sample workload accounts when they exist in the example config files.
Pricing is based on the ca-central-1 region, a month with 31 days (744 hours), on-demand pricing and Bring Your Own Licensing (BYOL) for any 3rd party firewalls. This is estimated pricing, the solution is regularly updated and pricing is dependent on the actual version and configuration used to implement the solution.
Any changes to the example configuration file will impact the pricing. These estimates do not include any customer workloads, workloads must be independently priced.
1.2.1. Pricing by Configuration file(link)
The following table provides the estimated monthly pricing based on the example configuration. Additional information on each of the example config files can be found here.
| Example Configuration |
Description | Estimated Monthly Pricing |
|---|---|---|
| Ultra-Lite | This configuration file was created to represent an extremely minimalistic Accelerator deployment, to demonstrate the art of the possible for an extremely simple config. This example is NOT recommended as it violates many AWS best practices. | $30 |
| Test | Designed to reduce solution costs, while demonstrating full solution functionality (Use for testing Full/Lite configurations or Low Security Profiles). Based on Lite Config w/AWS Network Firewall. | $1,500 |
| Lite | Same as Full Config with the following changes: 1) Reduces the FortiGate instance sizes from c5n.2xl to c5n.xl (VM08 to VM04); 2) Only deploys the 9 required centralized Interface Endpoints (removes 50). All services remain accessible using the AWS public endpoints, but require traversing the perimeter firewalls; 3) Removes the perimeter VPC Interface Endpoints; 4) Removes the Unclass ou and VPC. Four variants of the lite configuration file are provided: - AWS Control Tower w/AWS Network Firewall instead of IPSEC VPN Firewalls (recommended starting point) - AWS Network Firewall instead of IPSEC VPN Firewalls - IPSEC VPN integrated 3rd party firewalls - AWS Gateway Load Balancer integrated 3rd party firewalls |
$2,575 $2,550 $2,450 +FW lic. $2475 +FW lic. |
| Full | Large IPSEC VPN Firewalls w/Endpoints - The full configuration file was based on feedback from customers moving into AWS at scale and at a rapid pace. Customers of this nature have indicated that they do not want to have to upsize their perimeter firewalls or add Interface endpoints as their developers start to use new AWS services. These are the two most expensive components of the deployed architecture solution. | $4,200 |
1.2.2. Pricing by AWS Account (All Configurations)(link)
The following table provides the estimated monthly pricing per AWS account for each of the example configuration files.
| AWS Account | Description | Ultra Lite |
Test | Lite | Full |
|---|---|---|---|---|---|
| Management | This is the organization management or root account. This account aggregates organization wide billing, and is used to manage the Accelerator, AWS SSO and SCPs. Access to this account must be highly restricted. This account should not contain any customer resources or workloads. | $10 | $75 | $140 | $140 |
| Operations | This Account is used for centralized IT operational resources (MAD, rsyslog, ITSM, etc.) which need to made available to all accounts in the organization and would generally be used and managed by the Cloud Operations team. | - | $275 | $680 | $680 |
| Security | The security account is generally used and managed by the customers security and compliance teams, and contains an organizations security tooling and consoles. This account functions as the organization administrative account for Security Hub, GuardDuty, Macie, Firewall Manager, and Access Analyzer. This account also has the ability to assume a view-only role in every account in the organization to conduct security investigations. | $5 | $10 | $25 | $25 |
| Log Archive | The log archive account provides a central aggregation and secure long-term storage location for all logs created within the AWS organization. Logs created in every account in the organization are centralized to an S3 bucket in this account. | $15 | $35 | $55 | $55 |
| Perimeter | This account is used as the centralized internet facing ingress/egress point and contains edge security services for the organizations IaaS based workloads. | - | $590 | $410-$700 | $1,200 |
| Shared Network | This account is used for centralized or shared networking resources and will typically contain a transit gateway to enable routing between different AWS based and on-premises networks. If a centralized or shared VPC architecture is deployed, this account will also contain VPCs (i.e. Dev, Test, Prod) which are shared via RAM sharing to accounts within designated OUs in the organization. If a spoke architecture is used, the Transit gateway is instead shared to the accounts within the organization. | - | $515 | $825-$995 | $1,950 |
| MyDev1 | This is an optional sample workload account which lives in the Dev organizational unit. Dev accounts have a full set of security guardrails similar to a production accounts and are designed to be used by developers. These accounts leverage either local or centralized networking and are connected to the organizations network via the centralized transit gateway, which is used to access the internet via the perimeter security account or on-premises networks. | - | - | $80 | $80 |
| TheFunAccount | This is an optional sample workload account that is created in Sandbox organizational unit. Sandbox accounts are designed for experimentation only, as they have the fewest guardrails, and provide the most cloud native experience. These accounts leverage localized networking and are fully isolated from all other organization networks, with no transit gateway connectivity and direct internet access via a local internet gateway. | - | - | $70 | $70 |
| TOTAL | Estimated Monthly Pricing | $30 | $1500 | $2,450 - $2,575 | $4,200 |
1.2.3. Detailed Pricing by AWS Service (Lite Config – IPSec VPN Active/Active Firewalls)(link)
We picked a single example configuration file to provide detailed pricing per service.
The following table provides the estimated monthly pricing per AWS services provisioned by the Accelerator, across all accounts, for the Lite – IPSec VPN configuration.
| AWS service | Quantity | Estimated Monthly Pricing |
|---|---|---|
| CloudTrail (All Regions) | $28 | |
| CloudWatch (All Regions) | $35 | |
| CloudWatch Events (All Regions) | $0 | |
| CodeBuild | $2 | |
| CodeCommit | $0 | |
| CodePipeline | $0 | |
| Config (All Regions) | $85 | |
| Data Transfer | $0 | |
| Directory Service | - Managed Active Directory (2 domain controllers) - Shared Directory (2 accounts) - Small AD Connector (1) |
$444 |
| DynamoDB | $0 | |
| EC2 Container Registry (ECR) | $0.2 | |
| Elastic Compute Cloud (EC2) | - NAT Gateway (1) - Remote Desktop Gateway (1 x Windows t3.large) - rsyslog Servers (2 x Linux t3.large) - Fortinet Firewalls (2 x Linux c5n.xlarge) - EBS Volumes (30 GB x 3 instances, 100 GB x 2 instances) |
$669 |
| Elastic Load Balancing | - Application Load Balancing (2) - Network Load Balancing (rsyslog) (1) |
$55 |
| GuardDuty (All Regions) | $41 | |
| Key Management Service (All Regions) | $44 | |
| Kinesis | $12 | |
| Kinesis Firehose | $2 | |
| Lambda (All Regions) | $0 | |
| Macie (All Regions) | $4 | |
| Route 53 | - HostedZones (11) - Resolver Network Interfaces (4) |
$378 |
| Secrets Manager | $5 | |
| Security Hub (All Regions) | $97 | |
| Simple Notification Service (All regions) | $0 | |
| Simple Queue Service (All Regions) | $0 | |
| Simple Storage Service (All regions) | $6 | |
| Step Functions | $1 | |
| Systems Manager | $0 | |
| Virtual Private Cloud | - VPC Endpoints (18) - VPN Connections (2) - Transit Gateway VPC Attachments (5) - Transit Gateway VPN Attachments (2) |
$542 |
| TOTAL | Estimated Monthly Pricing | $2,450 |