Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, Amazon Elastic Kubernetes Service (EKS) clusters, Amazon Aurora databases, and data stored in Amazon Simple Storage Service (S3). GuardDuty prices are based on the volume of both analyzed service logs and data scanned for malware. Analyzed service logs are filtered for cost-optimization and directly integrated with GuardDuty, which means you don’t have to enable or pay for them separately. Amazon Elastic Block Store (EBS) snapshots are required for GuardDuty Malware Protection. EBS snapshots are priced separately from GuardDuty Malware Protection. Please see EBS pricing for details.
During the preview period, GuardDuty RDS Protection for Amazon Aurora databases is available to GuardDuty customers at no additional cost.
GuardDuty charges are as follows:
- AWS CloudTrail management event analysis: GuardDuty continuously analyzes CloudTrail management events. Management events (also known as control plane) provide information about management opera-tions that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
- Amazon Virtual Private Cloud (VPC) Flow Log and DNS query log analysis: GuardDuty continuously ana-lyzes Amazon VPC Flow Logs and Domain Name System (DNS) query logs. VPC Flow Log and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Log and DNS query log analyses are dis-counted with volume.
- CloudTrail Amazon S3 data event analysis: When the GuardDuty S3 Protection feature is enabled, GuardDuty continuously analyzes authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.
- Amazon EKS audit log analysis: When the GuardDuty EKS Protection feature is enabled, GuardDuty con-tinuously analyzes EKS audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.
- Data scanned for malware: When the GuardDuty Malware Protection feature is enabled, Amazon Elastic Compute Cloud (EC2) instance or container workloads with detected behavior indicative of malware will have a replica of their attached Amazon Elastic Block Store (EBS) volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which Amazon EC2 instances to scan using tags. Also, attached EBS volumes over 1 TB (1,024 GB) are not scanned.
In supported Regions, new GuardDuty account holders can try the service free for 30 days and gain access to all features and detection findings. The GuardDuty console indicates how many days are left in the free trial as well as average daily cost (based on volume of data analyzed and scanned), taking the guesswork out of budget planning.
Pricing by region
Example 1: In your environment, in one month, GuardDuty processes 40,000,000 AWS CloudTrail management events and 200,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 2,000 GB of VPC Flow Logs and 1,000 GB of DNS query logs are processed, for a total volume of 3,000 GB of logs.
40 management events x $4.00 (40 million management events, priced per million)
+ 200 Amazon S3 data events x $0.80 (200 million data events, priced per million)
+ 500 GB logs x $1.00 (first 500 GB)
+ 2,000 GB logs x $0.50 (next 2,000 GB)
+ 500 GB logs x $0.25 (last 500 GB)
Total = $1,945 per month
Example 2: In your environment, in one month, GuardDuty processes 5,000,000 AWS CloudTrail management events and 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 200 GB of VPC Flow Logs and 50 GB of DNS query logs are processed, for a total volume of 250 GB of logs.
Five management events x $4.00 (five million management events, priced per million)
+ 500 Amazon S3 data events x $0.80 (first 500 million data events, priced per million)
+ 500 Amazon S3 data events x $0.40 (next 500 million data events, priced per million)
+ 250 GB logs x $1.00 (first 500 GB)
Total = $870 per month
Example 3: In your Amazon EKS container environment, in one month, GuardDuty processes 200,000,000 Amazon EKS events in the US East (N. Virginia) region.
100 Amazon EKS events x $1.60 (first 100 million events, priced per million)
+ 100 Amazon EKS events x $0.80 (next 100 million events, priced per million)
Total = $240 per month
Example 4: In the US East (N. Virginia) Region, in one month, GuardDuty VPC Flow Log and DNS query log analysis detects suspicious behavior, indicating the possible presence of malware, in two EC2 instances and one Amazon EKS workload running on another EC2 instance. Therefore, snapshots are made of all three attached EBS volumes, and volume replicas are scanned by the GuardDuty Malware Protection feature following the detection. The total volume of data across the three scanned attached EBS volumes is 540.75 GB. Additional EBS snapshot cost is pro-rated based on the scan time. The EBS snapshot is deleted within minutes after the scan is completed.
540.75 GB file volume scanned x $0.03
Total = $16.22 per month
GuardDuty is a threat detection service that provides you with an accurate and easy way to continuously monitor and protect your AWS accounts and workloads.
Try GuardDuty for 30-days at no cost. You will receive full access to GuardDuty features and its detection findings during the free trial.
Get started building with GuardDuty in the AWS Management Console.