@SteveMcLeod I used to do pentesting for a living, the answer is: it depends on the types of data you’re storing. If it’s something very valuable like your client’s “account balances”, PII, etc. Then it won’t hurt, it will be a small assessment (1 or 2 days) and won’t be very expensive (~£1000/day). If you want an introduction with someone serious, I’m happy to connect you.
If your server is mainly static, I’m not sure if you’ll get much out of it. Make sure no unnecessary ports are open (you can use nmap for that), and you can also scan the web server with something like: nikto or ZAP.
There are some open-source tools you can use to do lightweight scanning like [i] and resources w/ AWS best practices [ii].
So the takeaways: a) do it if what you’re protecting is valuable (to your business or to your client’s). b) there are options for DIY’ing it, but you’re probably better off paying a pro to spend a couple of days looking at it.
p.s. happy to expand on any particular point.