Cloud security testing, 2026
AWS Penetration Test Cost (2026): $15K to $50K
AWS penetration testing has become the most expensive of the three major cloud-provider pentests because AWS account environments are typically the largest and most IAM-complex. A single-account assessment in 2026 runs $15,000-$22,000. Multi-account organisations push to $25,000-$40,000, and adding Kubernetes workload testing reaches $50,000. This page covers the AWS-specific scope decisions that drive most of the variance.
Single account
$15K - $22K
Standard AWS services, no Kubernetes
Multi-account org
$25K - $40K
3-10 accounts, AWS Organizations
EKS-included
$30K - $50K
Plus container security depth
AWS pentest pricing by scope
| Scope | 2026 USD | Days | Typical environment |
|---|---|---|---|
| Single account, no Kubernetes | $15,000 - $22,000 | 5-7 days | Production AWS account, EC2, S3, RDS, Lambda, IAM |
| Single account, with EKS | $22,000 - $30,000 | 7-10 days | Above plus EKS cluster with several namespaces |
| Multi-account (3-5 accounts) | $25,000 - $35,000 | 10-14 days | AWS Organizations, OU structure, multi-account IAM |
| Multi-account (5-15 accounts) plus EKS | $35,000 - $50,000 | 14-20 days | Production-grade landing zone, multiple workload accounts, EKS or Fargate |
| Enterprise multi-cloud (AWS + others) | $50,000+ | 20+ days | AWS plus Azure or GCP, federation, cross-cloud trust |
AWS pentest scope by service category
The customer side of the AWS shared responsibility model is what an AWS pentest covers. AWS itself is responsible for the underlying infrastructure; the customer is responsible for everything they configure on top. The scope categories below cover roughly 90% of AWS pentest engagements.
IAM and identity
User and role policy review, privilege escalation pathways via iam:PassRole and sts:AssumeRole chains, MFA enforcement, root account hygiene, AWS Organizations SCP coverage, IAM Access Analyzer findings review.
S3 and data storage
Bucket policy and ACL review, public exposure scanning, object-level permission review, KMS encryption coverage, S3 Object Lock and versioning verification, lifecycle policy review for sensitive data.
Compute (EC2, Lambda, ECS, EKS)
Security group and NACL review, instance metadata service v2 enforcement, Lambda function execution role permissions, container runtime security, Pod Security Standards in EKS, Fargate task role review.
Database services
RDS network exposure and IAM authentication, Aurora Serverless permissions, DynamoDB IAM policy review, ElastiCache encryption-at-rest verification, parameter group security configuration.
Networking
VPC peering and Transit Gateway review, PrivateLink endpoint policy review, VPN and Direct Connect terminations, Route 53 zone exposure, internet gateway and NAT gateway placement.
Logging and detection
CloudTrail multi-region coverage, GuardDuty findings review, AWS Config compliance pack review, SCP gaps that allow CloudTrail tampering, log destination integrity (S3 bucket policy on log buckets).
Secrets and crypto
Secrets Manager rotation policy, Parameter Store SecureString usage, KMS key policy review for cross-account access, KMS grant review, hardcoded secrets scan in Lambda code.
Application layer (if in scope)
Web apps deployed on AWS, API Gateway endpoint review, AppSync (managed GraphQL) authorisation, Cognito user pool and identity pool review, CloudFront origin access controls.
Why multi-account AWS pentests cost more
A multi-account AWS environment (the standard deployment pattern for any production-grade AWS workload) changes the pentest scope qualitatively, not just quantitatively. The tester needs to map cross-account trust relationships, review Service Control Policies at the AWS Organizations level, identify assume-role chains that span accounts, and verify that account boundaries actually enforce the authorisation model the architect intended.
A common cost-driving multi-account complexity is "cross-account assume-role for centralised tooling". Many organisations centralise tooling (security scanning, cost reporting, configuration management) in one account that has assume-role permissions into every workload account. The tooling account becomes a high-value target, and validating its blast radius takes meaningful testing time.
The other multi-account cost driver is reading SCPs accurately. SCPs are restrictive by nature, but their interaction with IAM policies is non-trivial, and a tester needs to reason carefully about what the effective permission set is for each principal in each account.
EKS and container scope addons
Adding EKS to an AWS pentest typically increases the engagement by $7,000-$15,000 because container security is a substantively different discipline from cloud-control-plane security. The EKS-side scope covers Pod Security Standards enforcement, RBAC review inside the cluster, IAM Roles for Service Accounts (IRSA) configuration, container image scanning gaps, runtime security if Falco or similar is deployed, network policy enforcement, and any in-cluster service mesh (Istio, Linkerd) authorisation model.
For organisations running Fargate (serverless containers), the addon cost is typically lower ($4,000-$8,000) because the underlying container runtime is AWS-managed, removing several attack categories from scope.
AWS-specific scoping pitfalls
Three AWS-specific scoping decisions consistently surprise first-time buyers.
- Production vs sandbox testing. Most reputable firms refuse to pentest production environments without an explicit sign-off because the risk of unintentional impact (deleting production resources, triggering alarms, hitting rate limits) is real. Set up a near-production sandbox or accept the production-test risk explicitly.
- Account inventory accuracy. Many organisations under-declare their AWS account count because shadow accounts (developer experimentation, acquired company environments) are forgotten. The tester typically asks for AWS Organizations exports during scoping; provide the full list to avoid mid-engagement scope expansion.
- Application-layer inclusion. An AWS pentest that excludes the applications running on the AWS infrastructure misses many real-world attack paths. Bundle web app or API testing where it makes sense; the bundled price is usually 15-20% below separate engagements.
Frequently asked questions
How much does an AWS penetration test cost in 2026?v
A single-account AWS pentest in 2026 costs $15,000-$22,000. Multi-account organisations (typical for production-grade AWS deployments) run $25,000-$40,000. Adding Kubernetes (EKS) workload testing pushes engagements to $30,000-$50,000. The price is driven by account count, IAM complexity, and whether containerised workloads are in scope.
Do I need permission from AWS to pentest my own AWS environment?v
AWS removed the formal pre-approval requirement in 2019 for most testing types under the AWS Customer Support Policy for Penetration Testing. Customers can pentest their own resources running on EC2, RDS, Lambda, Aurora, CloudFront, API Gateway, Lightsail, and Elastic Beanstalk without notifying AWS. Some testing types (denial-of-service, simulated phishing of AWS account holders) still require coordination. Always check the latest AWS policy before testing.
What does an AWS pentest actually test?v
An AWS pentest covers the customer-side of the AWS shared responsibility model. Core scope includes IAM policy and role review (privilege escalation paths via iam:PassRole, sts:AssumeRole, etc.), S3 bucket and object exposure, EC2 security group and NACL review, Lambda function permission and execution role analysis, Secrets Manager and Parameter Store review, KMS key policy review, CloudTrail logging coverage gaps, and any in-scope workload-layer testing (EKS, ECS, web apps).
What is the most common AWS pentest finding?v
Across our buyer corpus, the most consistent AWS pentest findings are: over-privileged IAM roles (especially service roles with iam:PassRole on resource:*), S3 buckets with permissive ACLs or bucket policies, secrets stored in environment variables or in plaintext within Parameter Store, lateral movement paths via STS assume-role chains, and Lambda functions with overly broad execution roles. Roughly 70% of first-time AWS pentests find at least one path to account-level privilege escalation.
Should AWS pentest be assumed-breach or external?v
Both, ideally. External-only AWS pentests miss the bulk of cloud-relevant findings because most AWS misconfigurations are exploitable post-foothold rather than from the public internet. Assumed-breach AWS pentests (where the tester starts with low-privileged AWS credentials) consistently produce 3-5x more high and critical findings than external-only equivalents. Most reputable firms now default to assumed-breach as the primary scope.
Azure Pentest Cost
Compare to Azure pricing
GCP Pentest Cost
Compare to GCP pricing
All Test Types
8 test categories
Cost Calculator
Estimate your scope