AWS Pricing Calculator

AWS Pricing Calculator

Calculate your Amazon GuardDuty and architecture costs in a single estimate.

Amazon GuardDuty is a pay-as-you-go threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, and data. GuardDuty prices are based on the volume of service logs, events, workloads, or data analyzed.

GuardDuty pricing tiers include foundational pricing, which is the default level of service coverage, as well as GuardDuty protection plan pricing. When you activate GuardDuty for the first time in an account, default GuardDuty threat detection coverage, as well as available protection plan coverage, will automatically be enabled. But, you can customize how any new account inherits different protection plans in GuardDuty, except Runtime Monitoring—every account will have to manually enable the Runtime Monitoring feature in the console.

With GuardDuty protection plans, you have the flexibility and choice of deciding which plans to turn on or off at any time. The default threat detection in GuardDuty cannot be disabled, however, in active GuardDuty accounts.

Analyzed service logs are filtered for cost optimization and directly integrated with GuardDuty, which means you don't have to activate or pay for them separately.

Pricing varies by data source and AWS Region and is subject to change as new log sources are introduced, existing log sources are optimized to reduce cost, and log volumes increase and decrease with your varying workload-related activity on AWS. Consult the GuardDuty User Guide for Region-specific feature availability.

Free trial

In supported Regions, new GuardDuty account holders can try the service free for 30 days and gain access to all features* and detection findings. The GuardDuty console indicates how many days are left in the free trial as well as average daily cost (based on volume of data analyzed and scanned), taking the guesswork out of budget planning. 

*Malware Protection free trial is only available for GuardDuty initiated scanning.

Foundational threat detection pricing

To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes and processes data from foundational data sources to detect anomalies involving AWS Identity and Access Management (IAM) access keys and Amazon Elastic Compute Cloud (Amazon EC2). 

  • AWS CloudTrail management event analysis: GuardDuty continuously analyzes CloudTrail management events. Management events (also known as control plane) provide information about management operations that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
  • Amazon Virtual Private Cloud (Amazon VPC) Flow Log and DNS query log analysis: GuardDuty continuously analyzes Amazon VPC Flow Logs and DNS query logs. VPC Flow Log and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Log and DNS query log analyses are discounted with volume.

 

GuardDuty comes with a 30-day trial on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 
 
 
 

Pricing examples

CloudTrail management event analysis

In your environment, in one month, GuardDuty processes 40,000,000 CloudTrail management events in the US East (N. Virginia) Region.

Total charges:

40 management events * $4.00 (40 million management events, priced per million)

Total = $160 per month

VPC Flow Log and DNS query log analysis

In your environment, in one month, GuardDuty processes 2,000 GB of VPC Flow Logs and 1,000 GB of DNS query logs, for a total volume of 3,000 GB of logs.

Total charges:

   500 GB logs * $1.00 (first 500 GB)
+ 2,000 GB logs * $0.50 (next 2,000 GB)
+ 500 GB logs * $0.25 (last 500 GB)

Total = $1,625 per month

GuardDuty protection plans

In addition to foundational log data sources, GuardDuty can use data from other AWS services in your AWS environment to monitor and analyze  for potential security threats. These features will be automatically enabled for new GuardDuty accounts (except Runtime Monitoring), and it is recommended to have these protections enabled for accounts with these active AWS workloads. However, you can customize how any new account inherits different protection plans in GuardDuty, except Runtime Monitoring—every account will have to manually enable the Runtime Monitoring feature in the console. With all GuardDuty protection plans, you have the flexibility and choice of deciding which plans to turn on or off at any time.

Some features are not available in some Regions; if no pricing data appears for a specific feature, try changing any Region selector on the page to a different Region.

 

  • GuardDuty monitors threats against your Amazon Simple Storage Service (Amazon S3) resources by analyzing CloudTrail management events and CloudTrail S3 data events. When the GuardDuty S3 Protection feature is turned on, GuardDuty continuously analyzes authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.

    New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 

    Get started »

     

    Pricing example

    CloudTrail S3 data event analysis

    In your environment, in one month, GuardDuty processes 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) Region. 

    Total charges:

       500 Amazon S3 data events * $0.80 (first 500 million data events, priced per million)
    + 500 Amazon S3 data events * $0.40 (next 500 million data events, priced per million)

    Total = $600 per month

  • Amazon Elastic Kubernetes Service (Amazon EKS) Protection in GuardDuty provides threat detection coverage to help you protect Amazon EKS clusters within your AWS environment.
     
    When EKS Audit Log Monitoring is activated, GuardDuty continuously analyzes EKS audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.
     
    GuardDuty also provides Runtime Monitoring protection for EKS workloads to analyze operating system–level behavior, such as file access, network connections, and process execution activity. For information on the pricing for this feature, refer to the Runtime Monitoring tab.
     
    New and existing GuardDuty account holders can try the GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
     

    Pricing tables

    Pricing examples

    Amazon EKS audit logs

    In your EKS container environment, in one month, GuardDuty processes 200,000,000 EKS events in the US East (N. Virginia) Region.

    Total charges:

       100 Amazon EKS events * $1.60 (first 100 million events, priced per million)
    + 100 Amazon EKS events * $0.80 (next 100 million events, priced per million)

    Total = $240 per month

  • GuardDuty offers Runtime Monitoring for EKS, Amazon Elastic Container Service (Amazon ECS) (including deployments running on AWS Fargate) and Amazon EC2 (Preview) workloads. When GuardDuty Runtime Monitoring is activated for a workload, GuardDuty begins collecting and analyzing runtime events for suspicious or potentially malicious activity. GuardDuty Runtime Monitoring pricing is based on the number and size of protected workloads, measured in virtual CPUs (vCPUs).

    • If GuardDuty EKS Runtime Monitoring or GuardDuty EC2 Runtime Monitoring (Preview) (including ECS on EC2) is enabled for your account, you will not be charged for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active. The runtime security agent provides us with similar (and more contextual) network telemetry data. Hence, to avoid double charging customers, we will not charge for VPC Flow Logs from EC2 instances where the agent is installed.
    • If you configure GuardDuty Runtime Monitoring to automatically deploy the GuardDuty security agent, this will create VPC endpoints in VPCs used to run your monitored workloads.
    • You will not be charged for associated networking bandwidth costs for event delivery.
    • vCPUs per month for an instance = (total hours a supported provisioned RDS or EKS instance being monitored is active) * number of vCPUs on the instance / (number of hours in a month)

    Pricing examples

    EKS Runtime Monitoring for four EKS workloads

    You have four m7g.xlarge EKS workloads running and being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 16 vCPUs being monitored. GuardDuty continues to analyze and generate security findings based on VPC Flow Logs from EKS EC2 nodes in the account, resulting in 500 GB of VPC Flow Logs.

    Total charges:

                16 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
            + 500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)

    Total = $24 per month

    EKS Runtime Monitoring for 200 EKS workloads

    You have 200 m7g.xlarge EKS workloads running and being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 800 vCPUs being monitored. GuardDuty continues to analyze and generate security findings based on VPC Flow Logs from EKS EC2 nodes in the account, resulting in 2,000 GB of VPC Flow Logs.

    Total charges:

                500 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
            + 300 vCPUs * $0.75 per vCPU (for next 4,500 vCPUs)
            + 500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)
            + 1,500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)

    Total = $975 per month

    ECS Runtime Monitoring for 100 ECS workloads running on Fargate

    You have 100 ECS workloads (tasks) running on Fargate and being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, and it results in 600 vCPUs being monitored.

    Total charges:

                500 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
            + 100 vCPUs * $0.75 per vCPU (for next 4,500 vCPUs)

    Total = $825 per month

    Runtime Monitoring for 100 EC2 workloads and 200 ECS workloads running on EC2

    You have 100 r6g.xlarge EC2 workloads running being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 400 vCPUs being monitored. Additionally, you have 200 m7g.xlarge ECS workloads running on EC2 being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 800 vCPUs being monitored.

    Total charges:

                   500 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
                + 700 vCPUs * $0.75 per vCPU (for next 4,500 vCPUs)

    Total = $1,275 per month

  • GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection supports GuardDuty to detect the malware that may be the source of this compromise.

    When the GuardDuty Malware Protection feature is turned on, EC2 instance or container workloads with detected behavior indicative of malware will have a replica of their attached Amazon Elastic Block Store (Amazon EBS) volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which EC2 instances to scan using tags. Also, attached EBS volumes over 1 TB (1,024 GB) are not scanned.

    Malware Protection offers two types of scans: GuardDuty initiated malware scan, and On-demand malware scan. For more details on the two types of scans, see Malware Protection. There is no free trial period for Malware Protection On-demand Scanning.

    EBS snapshots are required for GuardDuty Malware Protection and are priced separately from GuardDuty Malware Protection. See Amazon EBS pricing for details.

    New and existing GuardDuty account holders can try GuardDuty Malware Protection (for GuardDuty initiated scanning only) at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 

    Get started »

    Pricing example

    Malware detection from EBS volume data scanned

    In the US East (N. Virginia) Region, in one month, GuardDuty VPC Flow Log and DNS query log analysis detects suspicious behavior, indicating the possible presence of malware, in two EC2 instances and one EKS workload running on another EC2 instance. Therefore, snapshots are made of all three attached EBS volumes, and volume replicas are scanned by the GuardDuty Malware Protection feature following the detection. The total volume of data across the three scanned attached EBS volumes is 540.75 GB. Additional EBS snapshot cost is prorated based on the scan time. The EBS snapshot is deleted within minutes after the scan is completed.

    Total charges:

    540.75 GB file volume scanned * $0.03 per GB

    Total = $16.22 per month

  • GuardDuty RDS Protection analyzes and profiles Amazon Relational Database Service (Amazon RDS) login activity for potential access threats to your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition). 

    When the GuardDuty RDS Protection feature is turned on, GuardDuty will immediately begin profiling and monitoring login activity to the Aurora databases in your AWS account for potential threats. The charge for GuardDuty RDS Protection is based on the number of protected RDS provisioned instance vCPUs per month. For Aurora Serverless v2 instances, the charge will be based on the number of protected Aurora Serverless v2 instance Aurora capacity units (ACUs) per month.

    New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 

    Get started » 

    • vCPUs per month for an instance = (total hours a supported provisioned RDS or EKS instance being monitored is active) * number of vCPUs on the instance / (number of hours in a month)
    • ACUs per month for an instance = (total hours a supported Aurora Serverless v2 instance being scanned is active) * number of ACUs on the instance / (number of hours in a month)
    • Amazon RDS instances support multithreading, which enables multiple threads to run concurrently on a single CPU core. Each thread is represented as a vCPU on the instance.
    • ACU is the unit of measure for Aurora Serverless v2. Aurora Serverless v2 capacity isn't tied to the DB instance classes that you use for provisioned clusters, but rather you specify the database capacity range for Aurora Serverless v2 using this unit of measure.

    Pricing examples

    RDS event analysis »

    In your RDS environment, you have three supported Aurora db.r6g.xlarge instances being scanned (for the entire month) for potential security threats in the US East (N. Virginia) Region.

    Total charges:

    3 supported RDS provisioned instances * 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) * $1.00 (per vCPU) * 1 month

    Total = $12 per month

    RDS event analysis with Aurora Serverless v2 instance

    In your RDS environment, you have three supported Aurora db.r6g.xlarge instances and one Aurora Serverless v2 instance (with 60 ACUs) being scanned (for the entire month) for potential security threats in the US East (N. Virginia) Region.

    Total charges:

       3 supported RDS provisioned instances * 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) * $1.00 (per vCPU) * 1 month
    + 1 supported Aurora Serverless v2 instance * 60 ACUs x $0.25 (per ACU) * 1 month

    Total = $27 per month

  • GuardDuty Lambda Protection continuously monitors network activity logs generated from the execution of AWS Lambda functions to detect threats to Lambda, such as functions maliciously repurposed for unauthorized cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.

    Note that expansion into additional forms of network activity monitoring will increase the volume of data that GuardDuty processes for Lambda Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide Lambda Protection customers with notice of additional network activity monitoring at least 30 days before their release. New and existing GuardDuty account holders can try optional GuardDuty protection plan features for 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 

    Get started »

    Pricing example

    VPC Flow Logs generated from the execution of Lambda functions

    In your environment, in one month, GuardDuty processes 100 GB of network activity logs in the form of VPC Flow Logs generated from execution of Lambda functions in the US East (N. Virginia) Region.

    Total charges:

    100 GB of VPC Flow Logs from Lambda functions * $1.00 (first 500 GB)

    Total = $100 per month

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote