AWS CVE Scanning - Cost Estimation

Panoptica supports scanning workloads for different threats and vulnerabilities, without installing any agents on the instance. The scans take place using an orchestration layer that takes snapshots of the instances and scans them offline without any impact to the environment.

Cost Estimation

Based on tests performed in Panoptica’s labs, the cost estimation for this scanning is around $0.008 per AWS EC2 Instance scan.

Please note that this is a rough estimation based on lab results.

To arrive at the above cost estimation, we performed the following test illustrated in the table below.

Parameters Affecting AWS Costs/Billing

The following parameters can affect your AWS billing.

Frequency of workloads scans
By default, the workload scan runs once a day for all EC2 instances. The frequency can be changed per your request, and you can initiate more scans manually from the platform.

Each scan issues new snapshots on the scanned EC2 instances, creates volumes from the snapshots, and attaches them to a new spot fleet.

Spot fleet instance type
The instance type is set by AWS at a specific moment. Panoptica limits the spot fleet types to the following:
t2.xlarge, t2.2xlarge, t3.xlarge, t3.2xlarge, t3a.xlarge, t3a.2xlarge, m4.xlarge, m5.xlarge, m5.2xlarge, m5a.xlarge, m5a.2xlarge.

Panoptica spins up at least one spot fleet with eight instances per scan. Each spot instance can scan more than one volume or EC2 instance, but if the queue gets too long (i.e., if there are more than eight instances to scan), Panoptica could spin up more fleets.

AWS pricing
The spot fleet instances price dynamically changes.

Spot fleets uptime
The spot fleets will keep running until the scan finishes. The average fleet will take between 5-15 minutes to terminate. However, if the workload is specifically heavy (large volumes or many EC2 instances), the spot fleet could take longer.

EBS lifetime
Panoptica creates volumes from EC2 snapshots. These volumes are attached to the spot fleet and deleted after the spot fleet terminates. Some volumes could remain for up to four hours after the scan finishes (due to a faulty AWS delete function). The pricing for this depends on the size and uptime of the temporary volume, which can vary.

Monitoring Costs

You can also monitor the ongoing costs for Panoptica’s CVE scan using the AWS Cost Explorer.

This can be done as follows:

  • AWS Cost Allocation Tags should be enabled for the “used-by” tag. All AWS resources created by Panoptica are automatically tagged as “used-by: panoptica-ec2-scan”.

  • Using AWS Cost Explorer, you can filter for the cost of the tag “used-by: panoptica-ec2-scan".