AWS CVE Scanning - Cost Estimation

Panoptica supports scanning workloads for different threats and vulnerabilities, without installing any agents on the instance. The scans take place using an orchestration layer that takes snapshots of the instances and scans them offline without any impact to the environment.

Cost Estimation

Based on tests performed in Panoptica’s labs, the cost estimation for this scanning is around $0.008 per AWS EC2 Instance scan.

Please note that this is a rough estimation based on lab results.

To arrive at the above cost estimation, we performed the following test illustrated in the table below.

Data Classification Scanning

If you have enabled automatic Data Type Classification of your S3 buckets, there are additional costs incurred in using the get_object action to scan your data. Costs will vary according to the number of buckets, number of files in each bucket, file size, and location of the bucket.

This estimation assumes the largest bucket supported under Panoptica's scanning limitations: 500 files (5 directories, 100 files per directory); 20MB per file; bucket not located in same region as Panoptica's data classification service.

Again, this is a rough estimation based on lab results. Your mileage may vary.

List Requests:

  • One list request per bucket
  • Cost: $0.005

GET Requests:

  • One GET request per file
  • 500 files = 500 GET requests
  • Cost: (500 / 1,000) * $0.004 = $0.002

Data Transfer:

  • Potentially transferring 500 files, each 20MB
  • Total data transfer: 500 files * 20MB/file = 10GB
  • Cost: 10 GB * $0.09/GB = $0.90

Total Cost, based on the highest cost per bucket:

  • List Request Cost + GET Requests Cost + Data Transfer Cost
  • Total Cost = $0.005 + $0.002 + $0.90 = $0.907
  • 500 buckets with the same maximum file capacity will cost approximately 500 * $0.907 = $453.50


Reducing costs

Due to the high cost of data transfer, scanning buckets in the regions where Panoptica's data scan service is running – US-East-2 (Ohio) or EU-Central-1 (Frankfurt) – will reduce costs significantly.

Minimizing file modifications will also reduce costs, as Panoptica only scans files that have been changed since the last scan.

Parameters Affecting AWS Costs/Billing

The following parameters can affect your AWS billing.

Frequency of workloads scans
By default, the workload scan runs once a day for all EC2 instances. The frequency can be changed per your request, and you can initiate more scans manually from the platform.

Each scan issues new snapshots on the scanned EC2 instances, creates volumes from the snapshots, and attaches them to a new spot fleet.

Spot fleet instance type
The instance type is set by AWS at a specific moment. Panoptica limits the spot fleet types to the following:
t2.xlarge, t2.2xlarge, t3.xlarge, t3.2xlarge, t3a.xlarge, t3a.2xlarge, m4.xlarge, m5.xlarge, m5.2xlarge, m5a.xlarge, m5a.2xlarge.

Panoptica spins up at least one spot fleet with eight instances per scan. Each spot instance can scan more than one volume or EC2 instance, but if the queue gets too long (i.e., if there are more than eight instances to scan), Panoptica could spin up more fleets.

AWS pricing
The spot fleet instances price dynamically changes.

Spot fleets uptime
The spot fleets will keep running until the scan finishes. The average fleet will take between 5-15 minutes to terminate. However, if the workload is specifically heavy (large volumes or many EC2 instances), the spot fleet could take longer.

EBS lifetime
Panoptica creates volumes from EC2 snapshots. These volumes are attached to the spot fleet and deleted after the spot fleet terminates. Some volumes could remain for up to four hours after the scan finishes (due to a faulty AWS delete function). The pricing for this depends on the size and uptime of the temporary volume, which can vary.

Monitoring Costs

You can also monitor the ongoing costs for Panoptica’s CVE scan using the AWS Cost Explorer.

This can be done as follows:

  • AWS Cost Allocation Tags should be enabled for the “used-by” tag. All AWS resources created by Panoptica are automatically tagged as “used-by: panoptica-ec2-scan”.

  • Using AWS Cost Explorer, you can filter for the cost of the tag “used-by: panoptica-ec2-scan".