The costs of pen testing cloud environments vary enormously, and AWS is no exception. Every project is different, and small changes in scope can lead to huge differences in cost.
If you’re trying to understand how much AWS penetration testing should cost your firm in 2022, this article should help.
After detailed comparisons of the pricing models of a range of vendors, we’ve provided cost benchmarks for AWS pen testing and broken down the 4 cost factors that have the biggest effects on price quotes.
Armed with these details, you should be able to negotiate better rates with your penetration testing firm and avoid overpaying.
- Why Pentest Your AWS Resources?
- Scope for AWS Penetration Testing
- Average Cost of AWS Penetration Tests
- How Much do Costs Vary from One Vendor to The Next?
- How to Reduce AWS Pen Testing Costs
- Costs of AWS Pen Testing Vs Benefits
Why Pentest Your AWS Resources?
While many assume that hosting in Amazon Web Services (AWS) or any other cloud provider would offload security responsibility to the service provider, this is not the case.
Security of the cloud is AWS or responsibility but security in the cloud is the organization’s responsibility. Due to the nuanced and, at times, complex nature of running computers and resources in AWS, it is always recommended that organizations engage in a penetration test of their hosted environment. This should include an external, internal, and a configuration review to ensure adequate coverage to identify exploitable vulnerabilities and misconfigurations.
Further, this will provide a better understanding of what best practices should be implemented to help harden and improve the security of the environment.
For organizations just starting their journey into an AWS environment or utilizing a hybrid environment, it is even more critical to engage in a pen test. This will assist with understanding and strengthening the ability to design, deploy, and manage cloud computing with proper security and permissions.
It is overly easy to expose a service or storage to the internet without even knowing or understanding how. Understanding common mistakes before the organization’s environment becomes too large will only assist with building a solid foundation for future projects.
Scope for AWS Penetration Testing
When it comes to penetration testing of an AWS-hosted implementation, the end goal is very similar to any other type of pen test: identify weaknesses, how these weaknesses can be exploited, and the impact of exploitation.
However, AWS penetration testing is more nuanced than a typical network, application, or other penetration tests. To start, there are explicit allowed lists and disallowed lists from AWS on what can be tested regarding services, infrastructure, and other components. Any good consultancy firm or vendor will be able to walk your organization through what is allowed and not allowed to be tested.
When it comes to AWS security testing, simply performing external scanning and manual testing is not enough. A full review of the environment should be in scope and required, which includes internal and external testing, and configuration reviews.
As part of this review, governance of the environment, network management, encryption control, logging, identity access management, and account management should be reviewed. When reviewing these categories, it could involve automated scanning that includes automated configuration review to help assist with identifying best practices.
One of the biggest reasons to expect and want to have such a wide net compared to network penetration testing is that the environment, access, and network are not just a firewall rule but are made up of services, security groups, access roles, and ingress/egress rules.
Beyond the high-level domains of management and configuration that would be reviewed, additional testing will take place around S3 bucket configuration, permissions, and logging. If databases services are utilized, these will be in scope, as well, focused on backups, deployment model, and access management. Both services tend to get exposed mistakenly, due to poor governance and configuration review, so having them in scope may save an accidental leak of sensitive information for your organization.
Average Cost of AWS Penetration Tests
When it comes to pricing, many factors can impact a firm’s overall penetration testing cost. Every consultancy will utilize different scoping questions and documents to try to understand the complexity, size, and scope of the penetration testing services required for your organization. Ultimately, the end goal is to understand the minimum amount of time the consultancy will want to devote to the pen test to produce a quality report.
It rarely affects the hourly rate, but it is possible for a highly complex or large environment, that the consultancy may choose to utilize a more senior resource, which can increase the overall cost of the engagement. In most cases, this will not be a factor. So what can an organization expect the cost of penetration testing for AWS?
In general, the average AWS penetration testing cost can be between $20,000 to well over six figures.
To better understand the large price range for AWS penetration testing, it is important to understand a few of the factors in the pricing of the engagement.
Cost Factor #1: Number of Accounts
Some organizations utilize a single AWS account with logical separation to manage all workloads, while others utilize multiple accounts to ‘air gap’ workloads beyond a logical layer. How the organization chooses to do this is up to the organization, but this can have an impact on the overall cost of the security assessment, even if total workloads are the same in both deployment models.
This is due to the need to have access, and at times, set up assessment tools multiple times across accounts. While this is not always the case, it is a good rule of thumb to expect to have additional costs if your organization is deploying workloads to multiple accounts. All accounts should be in scope to ensure that they are managed the same and no holes exist in how the organization is managing the AWS cloud workloads.
Cost Factor #2: Services in Scope
When it comes to AWS, many, services can be utilized as a part of the environment: S3 buckets, IAM Analyzer, Security Hub, EKS, the list goes on and on for what AWS can and does provide to their customers. This is not a bad thing; it oftentimes means that an organization can run a cloud deployment with less overhead in management tools by utilizing the services provided. In every case, there are best practices for configuration and management of these services regarding expense, security, and accessibility for IT users.
Additionally, some of these services have configurations that are less secure than an organization may realize. In general, what AWS builds and provides is likely to be secure by default, but this is not always the case and has tripped up many organizations. AWS does not want its customers to be breached, but, at the same time, security in the AWS cloud is the organization’s responsibility.
Because of this, the more services in scope for the penetration test, the more it will cost, due to the increased testing, configuration review, and conversations that may be required to identify, document, and report on vulnerabilities or exploits.
Cost Factor #3: Complexity of Deployment
This factor deals with how the organization has chosen to integrate the AWS workloads for management. Is the AWS environment accessible over the internet? Does it require a VPN account to access the management consoles? Or is there a dedicated site-to-site VPN deployment that requires access to the corporate VLAN? While many of these are acceptable ways to manage access to the environment, each one requires a different testing strategy.
Additional complexity that can exist within an organization’s AWS environment is related to if the organization is fully cloud or hybrid. A full AWS cloud deployment may be the cheapest option, as it will not require any additional testing of the organization’s data center or the network connections between the two sites.
When a hybrid model is in scope, it will introduce complexity in the network and access management of workloads in AWS, as it is assumed there will be firewall rules in the data center that allows for communication with specific resources in AWS. In this model, it will require additional testing of the firewall and network configuration coming from the data center to the AWS workloads to ensure that proper security is in place to protect both locations.
Cost Factor #4: AWS Spend
This is a very common way for third parties to size the cost of services for AWS workloads.
Clearly the more spend an organization has on AWS, the more resources, services, and activities it has going on in the environment. Utilizing this metric simply provides an early indication of the potential time required to conduct the testing.
This may or may not be how a consultancy gets to this figure; the questions may be more focused on the number of EC2 hosts, containers (nodes or images), lambda functions, or users, but ultimately, they are both the same.
Both lines provide an understanding of the potential time required for testing, configuration review, and reporting. The large the account, the more time and the higher the cost will be for penetration testing.
How Much do Costs Vary from One Vendor to The Next?
The first factor that may impact the cost of the engagement from one vendor to another is if onsite is required. While it may seem odd to discuss this when talking about an AWS penetration test, not all companies want the pen testers to perform the work remotely and do require onsite presence. In this case, depending on the location of the office that the tester will need to go to and how far it is from the tester’s home, this can drastically increase the overall cost. It is not uncommon to see $5,000 per week for travel costs.
As AWS penetration testing requires a strong set of skills that is across multiple domains of expertise, it is important to engage a vendor that is capable and proven in AWS security testing. This is not a service that all pentest vendors provide regularly, or at all. This is one of the reasons why you may see a large difference in testing costs from one vendor to the next, not understanding what is involved or how to perform the test.
Due to this, it is recommended to look for a vendor that can provide strong references, examples of work with AWS, and may even have awards related to their testing services.
How to Reduce AWS Pen Testing Costs
A way to manage cost is by understanding how one vendor can be lower cost than other vendors, while still providing the same quality of work.
The location of the testers has a large impact on the cost to provide services for vendors. Is the organization comfortable with engaging with firms based in other countries like India, Malaysia, or other lower-cost regions? If so, this is a prime way to help maintain or reduce the overall cost of the AWS penetration test, while receiving the same level and depth of penetration testing.
Another way to help maintain the cost of the AWS penetration test is to focus on production accounts first.
While any account that is publicly accessible should be included, focusing on production ensures that those systems are configured, managed, and operating in such a way to help prevent any breaches. Lessons learned from the production penetration test can be applied to non-prod accounts to help lower the overall cost of the penetration test.
While these are two ways to help maintain cost, an organization must be acutely aware of what is being sacrificed for lower-cost testing. Generally, lower-cost testing will not provide the same depth as a full-cost service. This can create an illusion that the environment is secure when the reality is that for what could be tested, the environment appears to be secure. If a service or control is not able to be tested due to time constraints, it very well could still have issues that expose the organization to breach or loss of data.
Costs of AWS Pen Testing Vs Benefits
When it comes to penetration testing, it is always a debate about the cost to perform the testing vs. the potential cost of a breach. This can be a hard argument, as it is real cost vs. theoretical possible cost in the future.
While this may be the case, an organization should take caution when debating the theoretical future costs of a breach. It is more than just the loss of data, the cost to repair, and the lost revenue while systems are down. It is the lost reputation that may impact future revenue years to come.
The downside may include large fines from governments and regulators, loss of licenses, and nullification of contracts. There is a myriad of other impacts the organization may deal with post-breach that may or may not be discussed, as part of the initial analysis. These impacts will not shrink soon; there is only more emphasis on the security of consumer data, and financial data.
It is not possible to fully evaluate all those details in this article to come up with a true cost of not performing a penetration test. These factors are topics for internal debate. The only point is that the potential yearly cost of penetration testing against AWS workloads may very well be worth the investment when these factors are considered.