Costs - Monthly

SOC 2-Driven Cost Implications (Monthly)

Area	Change Needed	AWS Service(s)	Est. Additional Monthly Cost	Notes
Identity & Access Management (IAM)	MFA for all IAM users, SSO (via AWS IAM Identity Center w/ Google Workspace), IAM Access Analyzer	AWS IAM Identity Center	$0 (AWS service free, small SSO cost via Google Workspace if not already paid)	You already pay Google Workspace — SSO via AWS is free.
	Remove unused IAM keys, audit policies	N/A	$0	Just labor time.
Private DB Access	Move RDS to private subnet (with NAT for ECS nodes)	NAT Gateway + data processing	~$36–$80	Each NAT GW: $32.40 + data ($0.045/GB). If ECS tasks pull/push ~200–1,000 GB/mo, cost grows.
Encryption	Enable KMS encryption (S3, RDS, EBS)	AWS KMS	~$1–$3	Each KMS API request is billed; low cost at your scale.
Shield Advanced (optional)	Advanced DDoS protection	AWS Shield Advanced	$3,000 (monthly fee)	Only if RFP/gov customer insists — otherwise, Shield Standard (free) is fine.
CloudTrail	Org-wide logging, 1 year retention in S3	CloudTrail + S3 storage	$10–$40	Trail logging is $2.00/100k events; storage ~10–30 GB/mo compressed.
GuardDuty	Threat detection	AWS GuardDuty	$15–$30	Pricing: $4.00/million events analyzed. With your small footprint, cheap.
WAF	Already enabled	AWS WAF	No Change	SOC 2 happy.
Backups	RDS Multi-AZ	RDS	+~$129	Same as current DB cost (effectively doubles DB price).
	Cross-region RDS snapshot copy	RDS + S3	$5–$15	Cheap if done daily.
Disaster Recovery (Failover DB)	Cross-region replica	RDS + data transfer	+~$150–$180	Doubles storage + replication transfer.
Vulnerability Scanning	AWS Inspector	Inspector	$0.15/instance/hr → ~$216 for 2 ECS nodes	Continuous scanning billed hourly.
Secrets Management	AWS Secrets Manager for all DB/API creds	Secrets Manager	$0.40/secret/mo → ~$4–$8	Assuming 10–20 secrets.
Logging & Monitoring	Store security logs in S3 for 1+ years	S3 + Glacier Deep Archive	$5–$15	Move older logs to Glacier to save $.
	SIEM (stay AWS-native)	CloudWatch + Athena for queries	$10–$20	You already use SigNoz — keep heavy logs there, store audit logs in S3.
Private ECS Nodes	Move ECS nodes to private subnet	NAT Gateway cost	~$36–$80	Same as DB private subnet — NAT fees.

SOC 2 doesn’t mandate cross-region DB replication — it just wants a DR plan that meets your RTO/RPO. You could pass with daily backups + tested restore.
Biggest jump is AWS Inspector — if budget tight, you could replace with free open-source + one-off pentests.
Moving ECS & RDS to private subnets will force NAT costs, which is the second sneaky cost driver after Inspector.
You can keep under $500/mo extra to current if you avoid Multi-AZ + Inspector + Shield Adv.

Category	Approx. Additional Cost
IAM + SSO	$0
Private Networking (DB+ECS NAT)	$36–$80
Encryption	$1–$3
CloudTrail + S3 logs	$10–$40
GuardDuty	$15–$30
RDS Multi-AZ Same Region Replica (Failover)	+$129
Cross-region DR + Multi AZ (optional)	+$150–$180
AWS Inspector	$216
Secrets Manager	$10–$20
Glacier Log Archive	$5–$15
Total (No Cross Region DR, minimal)	~$416–$521/mo
Total (With ~~DR)~~Cross Region DR )	~$566–$701/mo
Total (With Shield Adv - optional)	+$3,000/mo extra

EXTENDED

Instance Equivalents & Pricing:

GCP Instance	AWS Equivalent	vCPU / RAM	AWS On-Demand Cost/mo
Jenkins : e2-standard-4 (4 vCPUs, 16 GB)	t3.xlarge (4 vCPU, 16 GB)	4 / 16 GB	~$121.47 Economize Cloud
SigNoz : e2-custom-4-10240 (4 vCPU, 10 GB)	t3.xlarge (closest match)	4 / 16 GB	~$121.47 Economize Cloud

GCP Instance

AWS Equivalent

vCPU / RAM

AWS On-Demand Cost/mo

Jenkins

: e2-standard-4 (4 vCPUs, 16 GB)

t3.xlarge

(4 vCPU, 16 GB)

4 / 16 GB

~$121.47

Economize Cloud

SigNoz

: e2-custom-4-10240 (4 vCPU, 10 GB)

t3.xlarge

(closest match)

4 / 16 GB

~$121.47

Economize Cloud

Summary: Monthly Cost Impact

Component	AWS Equivalent	Estimated Monthly Cost
Jenkins Server	t3.xlarge + 100 GB EBS	~$129.47
SigNoz Server	t3.xlarge + 120 GB EBS	~$131.07
Combined Total		~$260.54/month

Extra Note on Disk Growth

As you scale up retention for SOC 2 evidence (e.g., logs, policy artifacts, screenshots):

If disk usage grows from 120 GB to 240 GB, you’d add ~$9.60 more (double storage).

SUMMARY

Baseline (Current)

Already provided: ~$640/month including tax.

Breakdown today:

EC2 Instances: $283.28
RDS (single instance): $133.43
Tax: $96.35
EC2-Other: $47.99
Other services (VPC, ElastiCache, WAF, CloudWatch): remainder.

New Cost Estimates by Scenario

Scenario A — Cross-Region Replication (no DR)

~~RDS Cross-Region Read Replica~~ ~~(same size as current RDS): ≈ $133.43 (base) + $150–$160 for replica + ~$20 for cross-region data transfer.~~
~~Jenkins + SigNoz migration: ~$260/month (from earlier mapping).~~
~~Minor NAT Gateway increase for ECS private subnets: ~$30–$50/month.~~
~~New AWS services for SOC 2 (CloudTrail, GuardDuty, KMS keys, log storage, backups): ~$50–$70/month.~~
~~Tax (~15% based on your bill): add ~15% to subtotal.~~

~~Estimate~~:
~~Current infra $640 →~~

~~RDS replica $170~~
~~Jenkins/SigNoz $260~~
~~NAT $40~~
~~SOC 2 tooling $60~~
= ~~$1,170 subtotal~~ ~~→ with tax (~$175) =~~ ~~~$1,345/month~~.

Scenario B — Cross-Region Replication + DR

~~All of Scenario A, plus:~~
~~Multi-AZ RDS primary~~~~: +~$130/month.~~
~~Warm standby EC2/ECS infra in another region~~ ~~for DR: ~$150–$200/month (depends on minimal capacity until failover).~~
~~DR-related data replication to S3/Glacier: ~$20–$30/month.~~

~~Estimate~~:
~~Scenario A subtotal $1,170 →~~

~~Multi-AZ RDS $130~~
~~DR infra $170~~
~~DR storage $25~~
= ~~$1,495 subtotal~~ ~~→ with tax (~$225) =~~ ~~~$1,720/month~~.

Scenario C — With Jenkins + SigNoz staying on GCP (only AWS cross-region & DR changes) - (Need a consultant's guidance on this)

~~Drop $260 from A & B for Jenkins/SigNoz migration.~~
~~Still incur minor NAT & SOC 2 tooling.~~

~~Estimate~~:

~~Cross-region only: ~$1,085/month with tax.~~
~~Cross-region + DR: ~$1,460/month with tax.~~

Hidden / Underestimated Costs to Watch

CloudTrail & S3 log retention — With 1+ year retention, log S3 bucket can grow fast; expect $10–$50/month depending on GB/day.
GuardDuty — Usage-based; for small footprint maybe $15–$30/month now, but scales with log volume.
KMS key usage fees — Keys are cheap ($1/mo each) but API call charges can sneak in if you encrypt heavily used objects.
Data transfer out (DTO) — Cross-region & DR sync can add up if your DB or app pushes a lot of data.
EBS growth — More snapshots for SOC 2 evidence = $5–$20/month unless aggressively lifecycle-managed.
Support Plan — If you move to AWS Business Support for SOC 2 readiness, add ~$100 minimum or 10% of usage.
Pen-testing vendor costs — Not infra but required annually; usually $3–$8K one-off.

Scenario	~~Infra~~New SOC 2 Cost (Extra)	New Total Monthly ~~(excl. tax)~~ Cost	~~With Tax (~15%)~~	ΔDelta from Current
~~Current~~1. No Cross Region DR, minimal	~$~~640~~	416 – $~~640~~	—
~~A — Cross-Region, no DR (w/ Jenkins+SigNoz AWS)~~521	~$1,~~170~~056 – $1,161	+65% – +81%	Adds minimal SOC 2 passable config (IAM hardening, logging, minimal backups, security tooling), no DR.
~~$1,345~~2. With Cross Region DR	+~$~~705~~
B566 —– ~~Cross-Region + DR (w/ Jenkins+SigNoz AWS)~~$701	~$1,~~495~~206 – $1,341	+88% – +110%	Includes cross-region replication for RDS, still minimal EC2 changes, meets stronger SOC 2 availability expectations.
~~$1,720~~3. No Cross Region DR, minimal + No Jenkins & Signoz migrations	~~+$1,080~~
~~C1 — Cross-Region, no DR (Jenkins+SigNoz on GCP)~~	~$~~940~~	416 – $~~1,085~~	~~+$445~~
~~C2 — Cross-Region + DR (Jenkins+SigNoz on GCP)~~521	~$1,~~270~~056 – $1,161	+65% – +81%	Same as Scenario 1, but Jenkins & Signoz remain on GCP — no AWS migration cost.
~~$1,460~~4. With Cross Region DR + Jenkins & Signoz migrations	~$906 – $1,081	~$1,546 – $1,721	+~~$820~~142% – +169%	Adds DR (Scenario 2) plus migrating Jenkins & Signoz to AWS with equivalent compute/storage, including extra storage for evidence retention.