Skip to main content

Costs - Monthly

SOC 2-Driven Infra Cost Implications (Monthly)


Area

Change Needed

AWS Services

Est. Additional Monthly Cost

Notes

Identity & Access Management (IAM)

MFA for all IAM users, SSO (via AWS IAM Identity Center w/ Google Workspace), IAM Access Analyzer

AWS IAM Identity Center

$0

(AWS service free, small SSO cost via Google Workspace if not already paid)

You already pay Google Workspace — SSO via AWS is free.


Remove unused IAM keys, audit policies

N/A

$0

-

Private DB Access

Move RDS to private subnet (with NAT for ECS nodes)

NAT Gateway + data processing

~$36–$80

Each NAT GW: $32.40 + data ($0.045/GB). If ECS tasks pull/push ~200–1,000 GB/mo, cost grows.

Encryption

Enable KMS encryption (S3, RDS, EBS)

AWS KMS

~$1–$3

Each KMS API request is billed; low cost at your scale.

Shield Advanced (optional)

Advanced DDoS protection

AWS Shield Advanced

$3,000 (monthly fee)

Only if RFP/gov customer insists — otherwise, Shield Standard (free) is fine.

CloudTrail

Org-wide logging, 1 year retention in S3

CloudTrail + S3 storage

$10–$40

Trail logging is $2.00/100k events; storage ~10–30 GB/mo compressed.

GuardDuty

Threat detection for AWS Account

AWS GuardDuty

$15–$30

Pricing: $4.00/million events analyzed. With your small footprint, cheap.

WAF

Already enabled

AWS WAF

No Change

SOC 2 happy.

Backups

RDS Multi-AZ

RDS

+~$129

Same as current DB cost (effectively doubles DB price).


Cross-region RDS snapshot copy

RDS + S3

$5–$15

Cheap if done daily.

Disaster Recovery (Failover DB)

Cross-region replica

RDS + data transfer

+~$150–$180

Doubles storage + replication transfer.

Vulnerability Scanning

AWS Inspector - vulnerability scans and misconfigs

Inspector

$0.15/instance/hr → ~$216

for 2 ECS nodes

Continuous scanning billed hourly.

Secrets Management

AWS Secrets Manager for all DB/API creds

Secrets Manager

$0.40/secret/mo → ~$4–$8

Assuming 10–20 secrets.

Logging & Monitoring

Store security logs in S3 for 1+ years

S3 + Glacier Deep Archive

$5–$15

Move older logs to Glacier to save $.


SIEM (stay AWS-native)

Cloud Watch

$10–$20

You already use SigNoz — keep heavy logs there, store audit logs in S3.

Private ECS Nodes

Move ECS nodes to private subnet

NAT Gateway cost

~$36–$80

Same as DB private subnet — NAT fees.



  • SOC 2 doesn’t mandate cross-region DB replication — it just wants a DR plan that meets your RTO/RPO. You could pass with daily backups + tested restore. But its a good practice to have data being replicated somewhere.
  • Biggest jump is AWS Inspector — if budget tight, you could replace with free open-source + one-off pentests.
  • Moving ECS & RDS to private subnets will force NAT costs, which is the second sneaky cost driver after Inspector.
  • You can keep under $500/mo extra to current if you avoid Multi-AZ + Inspector + Shield Adv.


Category

Approx. Additional Cost

IAM + SSO

$0

Private Networking (DB+ECS NAT)

$36–$80

Encryption

$1–$3

CloudTrail + S3 logs

$10–$40

GuardDuty

$15–$30

RDS Multi-AZ Same Region Replica (Failover)

+$129

Cross-region DR + Multi AZ (optional)

+$150–$180

AWS Inspector

$216

Secrets Manager

$10–$20

Glacier Log Archive

$5–$15

Total (No Cross Region DR, minimal)

~$416–$521/mo

Total (With Cross Region DR )

~$566–$701/mo

Total (With Shield Adv - optional)

+$3,000/mo extra



EXTENDED


Instance Equivalents & Pricing:

GCP Instance

AWS Equivalent

vCPU / RAM

AWS On-Demand Cost/mo

Jenkins

: e2-standard-4 (4 vCPUs, 16 GB)

t3.xlarge

(4 vCPU, 16 GB)

4 / 16 GB

~$121.47

Economize Cloud

SigNoz

: e2-custom-4-10240 (4 vCPU, 10 GB)

t3.xlarge

(closest match)

4 / 16 GB

~$121.47

Economize Cloud


Summary: Monthly Cost Impact

Component

AWS Equivalent

Estimated Monthly Cost

Jenkins Server

t3.xlarge + 100 GB EBS

~$129.47

SigNoz Server

t3.xlarge + 120 GB EBS

~$131.07

Combined Total


~$260.54/month


Extra Note on Disk Growth

As you scale up retention for SOC 2 evidence (e.g., logs, policy artifacts, screenshots):

  • If disk usage grows from 120 GB to 240 GB, you’d add ~$9.60 more (double storage).



SUMMARY

Baseline (Current)

Already provided: ~$640/month including tax.

Breakdown today:

  • EC2 Instances: $283.28
  • RDS (single instance): $133.43
  • Tax: $96.35
  • EC2-Other: $47.99
  • Other services (VPC, ElastiCache, WAF, CloudWatch): remainder.
Hidden / Underestimated Costs to Watch
  1. CloudTrail & S3 log retention — With 1+ year retention, log S3 bucket can grow fast; expect $10–$50/month depending on GB/day.
  2. GuardDuty — Usage-based; for small footprint maybe $15–$30/month now, but scales with log volume.
  3. KMS key usage fees — Keys are cheap ($1/mo each) but API call charges can sneak in if you encrypt heavily used objects.
  4. Data transfer out (DTO) — Cross-region & DR sync can add up if your DB or app pushes a lot of data.
  5. EBS growth — More snapshots for SOC 2 evidence = $5–$20/month unless aggressively lifecycle-managed.
  6. Support Plan — If you move to AWS Business Support for SOC 2 readiness, add ~$100 minimum or 10% of usage.
  7. Pen-testing vendor costs — Not infra but required annually; usually $3–$8K one-off.



Scenario

New SOC 2 Cost (Extra)

New Total Monthly Cost

Delta from Current

Notes

1. No Cross Region DR, minimal

~$416 – $521

~$1,056 – $1,161

+65% – +81%

Adds minimal SOC 2 passable config (IAM hardening, logging, minimal backups, security tooling), no DR.

2. With Cross Region DR

~$566 – $701

~$1,206 – $1,341

+88% – +110%

Includes cross-region replication for RDS, still minimal EC2 changes, meets stronger SOC 2 availability expectations.

3. No Cross Region DR, minimal + No Jenkins & Signoz migrations

~$416 – $521

~$1,056 – $1,161

+65% – +81%

Same as Scenario 1, but Jenkins & Signoz remain on GCP — no AWS migration cost.

4. With Cross Region DR + Jenkins & Signoz migrations

~$906 – $1,081

~$1,546 – $1,721

+142% – +169%

Adds DR (Scenario 2) plus migrating Jenkins & Signoz to AWS with equivalent compute/storage, including extra storage for evidence retention.

No Comments
Back to top