Amazon GuardDuty pricing

Get started for free
Request a pricing quote
AWS Pricing Calculator

AWS Pricing Calculator

Calculate your Amazon GuardDuty and architecture costs in a single estimate.

Create your custom estimate now »

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, and data. GuardDuty prices are based on the volume of service logs, events, workloads, or data analyzed. 

GuardDuty pricing tiers include foundational pricing, which is the default level of service coverage, as well as optional protection plans pricing. When you activate GuardDuty for the first time, you will automatically have foundational protections and optional protection plans turned on, with the exception of Amazon EKS Runtime Monitoring, which can be activated separately. While you can turn off any optional protection features at any time, the foundational protections are required for active GuardDuty accounts. Analyzed service logs are filtered for cost optimization and directly integrated with GuardDuty, which means you don’t have to activate or pay for them separately. 

Pricing varies by data source and Region, and is subject to change as new log sources are introduced, existing log sources are optimized to reduce cost, and log volumes increase and decrease with your varying workload-related activity in AWS. Consult the GuardDuty user guide for Region-specific feature availability.

Free trial

In supported Regions, new GuardDuty account holders can try the service free for 30 days and gain access to all features* and detection findings. The GuardDuty console indicates how many days are left in the free trial as well as average daily cost (based on volume of data analyzed and scanned), taking the guesswork out of budget planning. 

*Malware Protection free trial is only available for GuardDuty-initiated scanning.

Start a free trial of GuardDuty

Foundational threat detection pricing

To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes and processes data from foundational data sources to detect anomalies involving AWS Identity and Access Management (IAM) access keys and Amazon Elastic Compute Cloud (Amazon EC2). 

  • AWS CloudTrail management event analysis: GuardDuty continuously analyzes CloudTrail management events. Management events (also known as control plane) provide information about management operations that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
  • Amazon Virtual Private Cloud (VPC) Flow Log and DNS query log analysis: GuardDuty continuously analyzes Amazon VPC Flow Logs and Domain Name System (DNS) query logs. VPC Flow Log and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Log and DNS query log analyses are discounted with volume.
 
GuardDuty comes with a 30-day trial on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.  Get started here.
 
 

Pricing examples

AWS CloudTrail management event analysis »

AWS CloudTrail management event analysis

In your environment, in one month, GuardDuty processes 40,000,000 AWS CloudTrail management events in the US East (N. Virginia) region.

Total Charges:

40 management events x $4.00 (40 million management events, priced per million)

Total = $160 per month

Show less

VPC Flow Log and DNS query log analysis »

VPC Flow Log and DNS query log analysis

In your environment, in one month, GuardDuty processes 2,000 GB of VPC Flow Logs and 1,000 GB of DNS query logs, for a total volume of 3,000 GB of logs.

Total charges:

   500 GB logs x $1.00 (first 500 GB)
+ 2,000 GB logs x $0.50 (next 2,000 GB)
+ 500 GB logs x $0.25 (last 500 GB)

Total = $1,625 per month

Show less

Optional protection plans

In addition to foundational log data sources, GuardDuty can use additional data from other AWS services in your AWS environment to monitor and analyze for potential security threats. Some features are not available in some AWS Regions; if no pricing data appears for a specific feature, try changing any Region selector on the page to a different Region.

  • S3 Protection

  • GuardDuty monitors threats against your Amazon S3 resources by analyzing AWS CloudTrail management events and CloudTrail S3 data events. When the GuardDuty S3 Protection feature is turned on, GuardDuty continuously analyzes authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.

    New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. Get started here.

     

    Pricing example

    AWS CloudTrail S3 data event analysis »

    AWS CloudTrail S3 data event analysis

    In your environment, in one month, GuardDuty processes 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. 

    Total Charges:

       500 Amazon S3 data events x $0.80 (first 500 million data events, priced per million)
    + 500 Amazon S3 data events x $0.40 (next 500 million data events, priced per million)

    Total = $600 per month

    Show less
  • EKS Protection

  • Amazon Elastic Kubernetes Service (Amazon EKS) Protection in GuardDuty provides threat detection coverage to help you protect Amazon EKS clusters within your AWS environment. EKS Protection includes EKS Audit Log Monitoring and EKS Runtime Monitoring.

    EKS Audit Log Monitoring

    • When the GuardDuty EKS Protection feature is activated, GuardDuty continuously analyzes Amazon EKS audit logs and optimizes costs by processing only events that are used for security analysis. Amazon EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.

    EKS Runtime Monitoring

    • When the GuardDuty EKS Protection feature is activated, and EKS runtime monitoring is turned on and there are active GuardDuty agents deployed on workloads in the account, GuardDuty will immediately begin monitoring your Amazon EKS instance runtime activities, such as file access, process execution, and network connections. EKS Runtime Monitoring pricing is based on the number and size of protected EKS workloads, measured in virtual CPUs (vCPUs)
    • If EKS Runtime Monitoring is enabled for your account, you will not be charged for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active. 
    • If you configure EKS Runtime Monitoring to automatically deploy the GuardDuty security agent, this could result in additional resource utilization, and will also create VPC endpoints in VPCs used to run Amazon EKS clusters. Learn more about Amazon EKS add-ons.
    • Customers will not be charged for associated networking bandwidth costs for event delivery.
     
    New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.  Get started here.
    • vCPUs per month for an instance = (total hours a supported provisioned RDS or EKS instance being monitored is active) x Number of vCPUs on the instance / (number of hours in a month)

    Pricing examples

    Amazon EKS audit logs »

    Amazon EKS audit logs

    In your Amazon EKS container environment, in one month, GuardDuty processes 200,000,000 Amazon EKS events in the US East (N. Virginia) region.

    Total Charges:

       100 Amazon EKS events x $1.60 (first 100 million events, priced per million)
    + 100 Amazon EKS events x $0.80 (next 100 million events, priced per million)

    Total = $240 per month

    Show less

    EKS runtime monitoring for four Amazon EKS workloads »

    EKS runtime monitoring for four Amazon EKS workloads

    You have 4 m7g.xlarge Amazon EKS workloads running and being monitored for the entire month for runtime security threats in the US East (N. Virginia) region, resulting in 16 vCPUs being monitored. GuardDuty continues to analyze and generate security findings based on VPC Flow Logs from EKS EC2 nodes in the account, resulting in 500 GB of VPC Flow Logs.

    Total Charges:

    16 vCPUs x $1.50 per vCPU (for first 500 vCPUs)
    + 500 GB VPC Flow Logs  (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)

    Total = $24 per month

    Show less

    EKS runtime monitoring for 200 Amazon EKS workloads »

    EKS runtime monitoring for 200 Amazon EKS workloads

    You have 200 m7g.xlarge Amazon EKS workloads running and being monitored for the entire month for runtime security threats in the US East (N. Virginia) region, resulting in 800 vCPUs being monitored. GuardDuty continues to analyze and generate security findings based on VPC Flow Logs from EKS EC2 nodes in the account, resulting in 2,000 GB of VPC Flow Logs.

    Total Charges:

       500 vCPUs x $1.50 per vCPU (for first 500 vCPUs)
    + 300 vCPUs x $0.75 per vCPU (for next 4,500 vCPUs)
    + 500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)
    + 1,500 GB VPC Flow Logs  (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)

    Total = $975 per month

    Show less
  • Malware Protection

  • GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection supports GuardDuty to detect the malware that may be the source of this compromise.

    When the GuardDuty Malware Protection feature is turned on, Amazon Elastic Compute Cloud (EC2) instance or container workloads with detected behavior indicative of malware will have a replica of their attached Amazon Elastic Block Store (Amazon EBS) volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which Amazon EC2 instances to scan using tags. Also, attached EBS volumes over 1 TB (1,024 GB) are not scanned.

    Malware Protection offers two types of scans: GuardDuty-initiated malware scan, and On-demand malware scan. For more details on the two types of scans, visit Malware Protection. There is no free trial period for Malware Protection On-demand Scanning.

    Amazon EBS snapshots are required for GuardDuty Malware Protection and are priced separately from GuardDuty Malware Protection. Please visit Amazon EBS pricing for details.

    New and existing GuardDuty account holders can try GuardDuty Malware Protection (for GuardDuty-initiated scanning only) at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. Get started here.

    Pricing example

    Malware detection from Amazon EBS volume data scanned »

    Malware detection from Amazon EBS volume data scanned

    In the US East (N. Virginia) Region, in one month, GuardDuty VPC Flow Log and DNS query log analysis detects suspicious behavior, indicating the possible presence of malware, in two EC2 instances and one Amazon EKS workload running on another EC2 instance. Therefore, snapshots are made of all three attached EBS volumes, and volume replicas are scanned by the GuardDuty Malware Protection feature following the detection. The total volume of data across the three scanned attached EBS volumes is 540.75 GB. Additional EBS snapshot cost is pro-rated based on the scan time. The EBS snapshot is deleted within minutes after the scan is completed.

    Total Charges:

    540.75 GB file volume scanned x $0.03 per GB

    Total = $16.22 per month

    Show less
  • RDS Protection

  • GuardDuty RDS Protection analyzes and profiles Amazon Relational Database Service (Amazon RDS) login activity for potential access threats to your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition). 

    When the GuardDuty RDS Protection feature is turned on, GuardDuty will immediately begin profiling and monitoring login activity to the Aurora databases in your AWS account for potential threats. The charge for GuardDuty RDS Protection is based on the number of protected RDS provisioned instance virtual CPUs (vCPUs) per month. For Aurora Serverless v2 instances, the charge will be based on the number of protected Aurora Serverless v2 instance Aurora capacity units (ACUs) per month.

    New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. Get started here.

    • vCPUs per month for an instance = (total hours a supported provisioned RDS or EKS instance being monitored is active) x Number of vCPUs on the instance / (number of hours in a month)
    • ACUs per month for an instance = (total hours a supported Aurora Serverless v2 instance being scanned is active) x Number of ACUs on the instance / (number of hours in a month)
    • Amazon RDS instances support multithreading, which enables multiple threads to run concurrently on a single CPU core. Each thread is represented as a virtual CPU (vCPU) on the instance.
    • ACU is the unit of measure for Aurora Serverless v2. Aurora Serverless v2 capacity isn't tied to the DB instance classes that you use for provisioned clusters, but rather you specify the database capacity range for Aurora Serverless v2 using this unit of measure.

    Pricing examples

    Amazon RDS event analysis »

    Amazon RDS event analysis »

    In your Amazon RDS environment, you have 3 supported Aurora db.r6g.xlarge instances being scanned (for the entire month) for potential security threats in the US East (N. Virginia) region.

    Total Charges:

    3 supported RDS provisioned instances x 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) x $1.00 (per vCPU) x 1 month

    Total = $12 per month

    Show less

    Amazon RDS event analysis with Aurora Serverless v2 instance »

    Amazon RDS event analysis with Aurora Serverless v2 instance

    In your Amazon RDS environment, you have 3 supported Aurora db.r6g.xlarge instances and 1 Aurora Serverless v2 instance (with 60 ACUs) being scanned (for the entire month) for potential security threats in the US East (N. Virginia) region.

    Total Charges:

       3 supported RDS provisioned instances x 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) x $1.00 (per vCPU) x 1 month
    + 1 supported Aurora Serverless v2 instance x 60 ACUs x $0.25 (per ACU) x 1 month

    Total = $27 per month

    Show less
  • Lambda Protection

  • GuardDuty Lambda Protection continuously monitors network activity logs generated from the execution of AWS Lambda functions to detect threats to Lambda, such as functions maliciously repurposed for unauthorized cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.

    Please note that expansion into additional forms of network activity monitoring will increase the volume of data that GuardDuty processes for Lambda Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide Lambda Protection customers with notice of additional network activity monitoring at least 30 days prior to their release. New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. Get started here.

    Pricing example

    VPC Flow Logs generated from the execution of AWS Lambda functions »

    VPC Flow Logs generated from the execution of AWS Lambda functions

    In your environment, in one month, GuardDuty processes 100 GB of network activity logs in the form of VPC Flow Logs generated from execution of Lambda functions in the US East (N. Virginia) region.

    Total Charges:

    100 GB of VPC Flow Logs from Lambda functions x $1.00 (first 500 GB)

    Total = $100 per month
    Show less

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote

Explore Amazon GuardDuty features

GuardDuty is a threat detection service that provides you with an accurate and easy way to continuously monitor and protect your AWS accounts and workloads.

Learn more 
Sign up for a 30-day free trial

Try GuardDuty for 30 days at no cost. You will receive full access to GuardDuty features and its detection findings during the free trial.

Free trial 
Start building in the console

Get started building with GuardDuty in the AWS Management Console.

Sign in