Cost Optimization¶
Cost optimization strategies for IAM infrastructure provisioned by the SEC Provisioner.
Table of Contents¶
Cost Overview¶
The SEC Provisioner creates IAM resources, which are largely free. The costs come from supporting services:
Cost Factor |
Description |
Typical Impact |
|---|---|---|
IAM |
Groups, roles, policies |
Free |
CloudFormation |
Stack operations |
Free |
SSM Parameter Store |
Stack output storage |
Minimal (~$0.05/month) |
S3 |
Template storage (medium/enterprise) |
Minimal (~$0.01/month) |
CloudTrail |
API call logging |
Included in free tier |
Key insight: IAM itself is free. The SEC Provisioner’s infrastructure cost is effectively zero — the value is in the time saved and security posture achieved.
IAM Pricing¶
AWS IAM is free for all resource types:
Resource |
Cost |
Notes |
|---|---|---|
IAM Groups |
Free |
Unlimited groups |
IAM Roles |
Free |
Unlimited roles |
IAM Policies (managed) |
Free |
Up to 1,500 customer-managed policies |
IAM Policies (inline) |
Free |
No limit per group/role |
STS AssumeRole |
Free |
No charge for role assumption |
IAM Access Analyzer |
Free tier available |
100 analyzers, 100 access previews/month |
No per-resource charges: Whether you deploy startup (5 groups) or enterprise (12 groups), the IAM cost is the same — $0.
CloudFormation Costs¶
Operation |
Cost |
|---|---|
Stack creation |
Free |
Stack updates |
Free |
Stack deletion |
Free |
ChangeSet creation |
Free |
Drift detection |
Free |
CloudFormation is free for AWS resource types (IAM, S3, EC2, etc.). Charges only apply for third-party resource types, which the SEC Provisioner does not use.
SSM Parameter Store Costs¶
The SEC Provisioner stores stack outputs in SSM Parameter Store:
Tier |
Parameters |
Monthly Cost |
|---|---|---|
Startup-5 |
~20 parameters |
Free (Standard tier, < 10,000) |
Medium-10 |
~46 parameters |
Free (Standard tier, < 10,000) |
Enterprise-12 |
~55 parameters |
Free (Standard tier, < 10,000) |
SSM Parameter Store Standard tier is free for up to 10,000 parameters. The SEC Provisioner uses well under this limit.
Advanced Parameters¶
If you need parameters larger than 4 KB or more than 10,000 parameters, Advanced tier costs $0.05/parameter/month. The SEC Provisioner uses Standard tier only.
S3 Template Storage Costs¶
Medium and enterprise tiers upload CloudFormation templates to S3:
Tier |
Template Size |
Monthly Storage Cost |
|---|---|---|
Startup-5 |
N/A (TemplateBody) |
$0 |
Medium-10 |
~69 KB |
$0.0000016 |
Enterprise-12 |
~85 KB |
$0.0000020 |
Template storage cost is negligible — less than $0.01/year for all tiers combined.
Tier Cost Comparison¶
Infrastructure Cost (Monthly)¶
Cost Item |
Startup-5 |
Medium-10 |
Enterprise-12 |
|---|---|---|---|
IAM Resources |
$0 |
$0 |
$0 |
CloudFormation |
$0 |
$0 |
$0 |
SSM Parameters |
$0 |
$0 |
$0 |
S3 Templates |
$0 |
~$0.001 |
~$0.001 |
Total Infrastructure |
$0 |
~$0.001 |
~$0.001 |
Value Comparison¶
The cost difference between tiers is in the subscription price, not infrastructure. All tiers have effectively zero AWS infrastructure cost.
Tier |
Groups |
Roles |
What You Get |
|---|---|---|---|
Startup-5 |
5 |
5 |
Core ML team roles |
Medium-10 |
10 |
12 |
+ Governance, security, QA, cross-account |
Enterprise-12 |
12 |
14 |
+ FinOps, external contractors, monitoring |
Time Savings¶
The real value is time saved vs manual IAM setup:
Task |
Manual Setup |
With SEC Provisioner |
|---|---|---|
Design IAM groups |
2-5 days |
Pre-built |
Write IAM policies |
3-10 days |
31 pre-built templates |
Create CloudFormation template |
2-5 days |
Auto-generated |
Test and validate |
1-3 days |
test-deploy + validate |
Document for audit |
2-5 days |
Auto-generated reports |
Total |
10-28 days |
< 1 hour |
Cost Reduction Strategies¶
1. Start with the Right Tier¶
Don’t over-provision. Start with startup if you have a small team:
Team Size |
Recommended Tier |
Why |
|---|---|---|
2-10 people |
Startup-5 |
Core roles sufficient |
10-50 people |
Medium-10 |
Need governance and security roles |
50+ people |
Enterprise-12 |
Need FinOps and contractor management |
You can upgrade tiers as your team grows — configurations carry forward.
2. Use Separate Environments Wisely¶
Deploy to dev/staging/prod, but consider whether all environments need the same tier:
Environment |
Tier |
Rationale |
|---|---|---|
Dev |
Startup-5 |
Minimal roles for development |
Staging |
Same as prod |
Test with production-equivalent security |
Production |
Medium-10 or Enterprise-12 |
Full security posture |
3. Clean Up Test Deployments¶
Test stacks create real IAM resources. Always delete them after testing:
aws cloudformation delete-stack --stack-name <test-stack-name> --region us-west-1
While IAM resources are free, orphaned test resources clutter your account and complicate auditing.
4. Use Drift Detection Instead of Redeployment¶
Instead of deleting and redeploying to fix configuration issues, use:
check-driftto identify what changedshow-changesto preview fixesdeploy --forceto update in place
This avoids the brief permission gap that occurs during delete + redeploy.
5. Consolidate Cross-Account Roles¶
If you have multiple environments in the same account, they can share cross-account role definitions. Use the same trusted_accounts and external_id across environments.
6. Monitor IAM Limits¶
Stay within AWS IAM quotas to avoid needing limit increases:
Resource |
Default Limit |
SEC Provisioner Usage |
|---|---|---|
Groups per account |
300 |
5-12 per deployment |
Roles per account |
1,000 |
5-14 per deployment |
Customer managed policies |
1,500 |
22-31 per deployment |
Policies per group |
10 |
Managed within limit |
Multiple environments (dev/staging/prod) multiply these numbers.
Monitoring and Analysis¶
AWS Cost Explorer¶
# IAM is free, but check for related costs
aws ce get-cost-and-usage \
--time-period Start=2026-03-01,End=2026-04-01 \
--granularity MONTHLY \
--metrics BlendedCost \
--filter '{"Dimensions":{"Key":"SERVICE","Values":["AWS Systems Manager","Amazon Simple Storage Service"]}}'
IAM Credential Report¶
Generate a credential report to identify unused IAM users in your groups:
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d
Remove users from groups they no longer need — reduces your security surface at zero cost.
CloudTrail Analysis¶
Monitor AssumeRole activity to verify assumable roles are being used as intended:
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole \
--max-results 20
Unused assumable roles may indicate over-provisioning — consider removing them or downgrading to a lower tier.
All prices based on US East (N. Virginia). IAM is free globally. Use the AWS Pricing Calculator for S3 and SSM estimates in your region.