The QuickWin around AWS Security Hub are the security standards, enabling the service with the security standards will identify your gaps with the best practices, and will provide you the remediation instructions. It only costs $0.001 per check, it can be enabled in a few clicks and it has a 30 days free trial that shows the usage that would incur if no trial existed, so you can estimate the cost of the next month.
If you want to perform individual (point-in-time) checks instead of continuous compliance with a managed service such as the AWS Security Hub. You can use the Self-Service Security Assessment Tool that integrates controls from Open Source tools such as Prowler , and Scout Suite .
You can also use Cloud Custodian , an open source tool with multi-vendor support, to send findings natively to the AWS Security Hub.
There are third-party tools for continuous compliance checks such as Trend Micro Cloud Compliance , Checkpoint Dome9 , and CloudCheckr that can also accomplish similar end result, frequently used in multi-cloud environments.
The service has a 30-day trial period (free trial)
The service has a site to verify current usage and estimate future usage.