← Week 3: Integration + failure modes + fit analysis

Day 19: Cost Model and Make-vs.-Buy Analysis

Phase 5 · September 13, 2026

← Week 3: Integration + failure modes + fit analysis

Agenda (2–3 hours)

  • Study (60 min): ACM PCA pricing model; CloudHSM pricing; EJBCA/open-source CA alternatives
  • Calculate (45 min): Cost model for your provisioning service workload
  • Write (45 min): Make-vs.-buy analysis for acm-pca-design.md
← Week 3: Integration + failure modes + fit analysis

ACM PCA Pricing (2026)

Item Price
Private CA — first 12 months $400/month per CA
Private CA — after 12 months $200/month per CA
Certificates — private PKI $0.75 per cert
Certificates — via ACM integration $0.00 per cert
OCSP requests $0.001 per 1,000
CRL S3 storage S3 standard rates (~$0.023/GB)

ACM integration: if you use ACM to manage cert deployment to ALB, CloudFront, API GW — certs are free. The $0.75 applies only when you call IssueCertificate directly via the API.

← Week 3: Integration + failure modes + fit analysis

Sample Cost Calculation: Leo Provisioning Service

Assumptions:

  • 3 CAs (1 root, 1 subordinate, 1 issuance)
  • 1,000 device certificates/month at 90-day validity
  • 10,000 OCSP requests/month
  • CRL published weekly (~50 KB per CRL)
Monthly cost:
  CAs (month 1–12):    3 × $400    = $1,200/mo
  CAs (month 13+):     3 × $200    = $600/mo
  Device certs:        1,000 × $0.75 = $750/mo
  OCSP:                10,000 / 1,000 × $0.001 = $0.01/mo  (negligible)
  CRL S3:              ~$0.01/mo  (negligible)

  Total (year 1):      ~$1,950/month
  Total (year 2+):     ~$1,350/month

At 10,000 device certs/month: add $7,500/month in cert fees.

← Week 3: Integration + failure modes + fit analysis

CloudHSM Pricing

Item Price
CloudHSM instance ~$1.60/hr = $1,168/month per HSM
Minimum for HA 2 HSMs = $2,336/month
Recommended (3 AZs) 3 HSMs = $3,504/month
Backup storage S3 (negligible)
Client library Free

CloudHSM vs. ACM PCA:

  • For a CA that issues 1,000 certs/month: ACM PCA ~$1,950/mo vs. CloudHSM ~$3,500/mo + ops labor
  • CloudHSM is cost-competitive only when you need self-managed key control or very high volume

Break-even: at ~3,500 certs/month (where ACM PCA cert fees + CA fees ≈ CloudHSM hardware cost).

← Week 3: Integration + failure modes + fit analysis

Build-Your-Own CA: Open-Source Options

If ACM PCA doesn't fit (cost, compliance, control):

Option Language PKCS#11 Active Notes
EJBCA Community Java Yes Yes Full-featured enterprise CA; complex to operate
Step-CA Go Via step-kms Yes Modern, lightweight; ACME support
Boulder Go No Yes Let's Encrypt's CA; public TLS only
toy-pki (your Phase 2) Rust No N/A Not production-ready
OpenSSL CA C/shell Via engine Yes Scriptable; no API; not scalable

Step-CA is the most realistic self-managed option for your use case:

  • Supports PKCS#11 via step-kms → CloudHSM compatible
  • REST API (ACME + JWK provisioners)
  • Lighter operationally than EJBCA
← Week 3: Integration + failure modes + fit analysis

Make-vs.-Buy Decision Framework

Factor ACM PCA Self-managed (Step-CA + CloudHSM)
Ops burden Low (AWS manages) High (cluster, patching, HA)
Key custody AWS holds key You hold key
FIPS 140-2 L3 Yes (AWS attests) Yes (if CloudHSM)
Custom templates Limited (built-in + APIPassthrough) Unlimited
PQC timeline AWS roadmap Your roadmap (when CloudHSM PQC is ready)
Compliance doc AWS SOC 2, ISO, FedRAMP docs available Must document yourself
AWS integration (ACM, ALB) Native Not applicable
Cost at 1K certs/mo ~$1,950/mo ~$3,500/mo + ~40 hrs/mo ops labor
Cost at 100K certs/mo ~$76,200/mo ~$3,500/mo + ops

High-volume cert issuance (>50K/month) favors self-managed on cost alone.

← Week 3: Integration + failure modes + fit analysis

Recommendation Framework

Use ACM PCA when:

  • Volume is < ~50,000 certs/month
  • Your team cannot afford the operational burden of running an HSM cluster
  • You need deep AWS service integration (ACM, ALB, CloudFront)
  • Compliance requires third-party attestation (AWS SOC 2 covers ACM PCA)

Use CloudHSM + self-managed CA when:

  • Compliance requires you to hold the CA private key exclusively
  • Volume is > 50,000 certs/month (cost savings justify ops overhead)
  • You need non-standard certificate profiles ACM PCA doesn't support
  • You need to audit the CA software behavior at a level ACM PCA doesn't expose

For Leo Provisioning Service: ACM PCA is the right default unless the security team requires exclusive key custody.

← Week 3: Integration + failure modes + fit analysis

Challenge Assignment

Write acm-pca-design.md §5.4 (Cost Model):

### 5.4 Cost Model and Make-vs.-Buy

**Monthly cost estimate (current workload):**
<CA count, cert volume, OCSPfill in your numbers>

**Cost at 10× scale:**
<What does the cost look like if provisioning grows 10×?>

**Make-vs.-buy recommendation:**
<ACM PCA vs. self-managedwhich and why for your service?>

**Conditions that would change the recommendation:**
<"If cert volume exceeds X/month, cost favors self-managed">
<"If compliance requires exclusive key custody, switch to CloudHSM">
← Week 3: Integration + failure modes + fit analysis

Resources

  • ACM PCA pricing: aws.amazon.com/private-ca/pricing
  • CloudHSM pricing: aws.amazon.com/cloudhsm/pricing
  • Step-CA: smallstep.com/docs/step-ca
  • EJBCA Community: ejbca.org
  • AWS pricing calculator: calculator.aws (use ACM PCA and CloudHSM modules)