AWS IAM access analyser pricing
Pricing overview
The AWS Identity and Access Management (IAM) access analyaer guides you towards least privilege by providing tools to set, verify and refine permissions. IAM access analyser provides access analysis findings, policy checks and policy generation.
When you enable IAM access analyser, you create an analyser, which regularly checks your accounts or AWS organisation for external access and unused access. The analyser generates access findings for your IAM roles, IAM users and AWS resources. You can enable two types of analysers: external access analyser and unused access analyser:
- an external access analyser creates public and cross-account access findings for AWS resources. This is provided at no additional charge.
- An unused access analyser inspects unused access to guide you towards least privilege. This is a paid feature. For every unused access analyser you enable, you pay per IAM role or IAM user per month. Because IAM roles and users are global, you need to enable only one analyser across all regions in a partition.
Unused access analyser charges occur once during set-up, and then monthly on the first day of the month.
IAM access analyser also offers two types of policy checks:
- IAM access analyser policy validation guides you to author and validate secure and functional policies based on IAM best practices. This is provided at no additional charge.
- IAM access analyser customised policy checks validate before deployment so that developer-authored policies adhere to your specified security standards. This is a paid feature. Customised policy checks use automated reasoning – provable security assurance backed by mathematical proof – so that security teams can proactively detect non-conformant updates to policies. For customised policy checks, you are charged based on the number of checks you run by calling the IAM access analyser APIs.
IAM access analyser policy generation creates fine-grained policies based on the access activity captured in your logs. This is provided at no additional charge.
Pricing
-
Unused access
-
Customised policy checks
-
Unused access
-
Pricing examples
Example 1:
you have one account with 10 IAM users and 60 IAM roles. You have enabled the unused access analyser for IAM Access Analyser for this account in AWS European Sovereign Cloud (Germany) region.
Total number of IAM roles or users analysed in a month
10 users + 60 roles = 70 IAM roles and users
Cost of analysis
£0.19737151 *70 IAM roles and users = £13.8160057 per month
Example 2:
you have five accounts in your AWS organisation. You have enabled the unused access analyser for this organisation in AWS European Sovereign Cloud (Germany) region. Following is a breakdown of the number of IAM roles and users in each account and the total monthly cost.
Account no. Number of IAM roles Number of IAM Users Total per account 1 150 10 160 2 200 15 215 3 100 20 120 4 250 10 260 5 80 15 95 Total IAM roles and users in the organisation 850 Cost of analysis
£0.19737151 *850 IAM roles and users = £167.7657835 per month
-
Customised policy checks
-
Pricing examples
Example 1:
you have a single AWS account and make 1,000 calls per month to the IAM access analyser APIs to run customised policy checks as a part of your automated policy review process.
Cost of analysis
£0.0019737151 *1,000 API calls = £1.9737151 per month
Example 2:
you make 10,000 calls each month to the IAM access analyser APIs to run custom policy checks across five accounts signed up for consolidated billing with AWS Organizations.
Cost of analysis
£0.0019737151 *10,000 API calls = £19.737151 per month
Additional pricing resources
Easily calculate your monthly costs with AWS.
Contact AWS specialists to get a personalised quote