Overview

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, Amazon Elastic Kubernetes Service (EKS) clusters, Amazon Aurora databases, and data stored in Amazon Simple Storage Service (S3). GuardDuty prices are based on the volume of both analyzed service logs and data scanned for malware. Analyzed service logs are filtered for cost optimization and directly integrated with GuardDuty, which means you don’t have to activate or pay for them separately. Amazon Elastic Block Store (EBS) snapshots are required for GuardDuty Malware Protection. Amazon EBS snapshots are priced separately from GuardDuty Malware Protection.Please see EBS pricing for details.

GuardDuty charges are as follows:

  • AWS CloudTrail management event analysis: GuardDuty continuously analyzes CloudTrail management events. Management events (also known as control plane) provide information about management operations that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
  • Amazon Virtual Private Cloud (VPC) Flow Log and DNS query log analysis: GuardDuty continuously analyzes Amazon VPC Flow Logs and Domain Name System (DNS) query logs. VPC Flow Log and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Log and DNS query log analyses are discounted with volume.
  • AWS CloudTrail Amazon S3 data event analysis: When the GuardDuty S3 Protection feature is turned on, GuardDuty continuously analyzes authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.
  • Amazon EKS audit log analysis: When the GuardDuty EKS Protection feature is activated, GuardDuty continuously analyzes EKS audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.
  • Data scanned for malware: When the GuardDuty Malware Protection feature is turned on, Amazon Elastic Compute Cloud (EC2) instance or container workloads with detected behavior indicative of malware will have a replica of their attached Amazon EBS volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which Amazon EC2 instances to scan using tags. Also, attached EBS volumes over 1 TB (1,024 GB) are not scanned.
  • Amazon RDS event analysis: When the GuardDuty RDS Protection feature is turned on, GuardDuty will immediately begin profiling and monitoring login activity to the Aurora databases in your AWS account for potential threats. The charge for GuardDuty RDS Protection is based on the number of protected RDS provisioned instance virtual CPUs (vCPUs) per month. For Aurora Serverless v2 instances, the charge will be based on the number of protected Aurora Serverless v2 instance Aurora capacity units (ACUs) per month.

Free trial

In supported Regions, new GuardDuty account holders can try the service free for 30 days and gain access to all features and detection findings. The GuardDuty console indicates how many days are left in the free trial as well as average daily cost (based on volume of data analyzed and scanned), taking the guesswork out of budget planning.

Pricing by region

  • vCPUs per month for an instance = (total hours a supported RDS provisioned instance being scanned is active) x Number of vCPUs on the instance / (number of hours in a month)
  • ACUs per month for an instance = (total hours a supported Aurora Serverless v2 instance being scanned is active) x Number of ACUs on the instance / (number of hours in a month)
  • Amazon RDS instances support multithreading, which enables multiple threads to run concurrently on a single CPU core. Each thread is represented as a virtual CPU (vCPU) on the instance.
  • ACU is the unit of measure for Aurora Serverless v2. Aurora Serverless v2 capacity isn't tied to the DB instance classes that you use for provisioned clusters, but rather you specify the database capacity range for Aurora Serverless v2 using this unit of measure.

Pricing examples

Example 1: In your environment, in one month, GuardDuty processes 40,000,000 AWS CloudTrail management events and 200,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 2,000 GB of VPC Flow Logs and 1,000 GB of DNS query logs are processed, for a total volume of 3,000 GB of logs.

Total Charges:

40 management events x $4.00 (40 million management events, priced per million)
+ 200 Amazon S3 data events x $0.80 (200 million data events, priced per million)
+ 500 GB logs x $1.00 (first 500 GB)
+ 2,000 GB logs x $0.50 (next 2,000 GB)
+ 500 GB logs x $0.25 (last 500 GB)

Total = $1,945 per month

Example 2: In your environment, in one month, GuardDuty processes 5,000,000 AWS CloudTrail management events and 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 200 GB of VPC Flow Logs and 50 GB of DNS query logs are processed, for a total volume of 250 GB of logs.

Total Charges:

Five management events x $4.00 (five million management events, priced per million)
+ 500 Amazon S3 data events x $0.80 (first 500 million data events, priced per million)
+ 500 Amazon S3 data events x $0.40 (next 500 million data events, priced per million)
+ 250 GB logs x $1.00 (first 500 GB)

Total = $870 per month

Example 3: In your Amazon EKS container environment, in one month, GuardDuty processes 200,000,000 Amazon EKS events in the US East (N. Virginia) region.

Total Charges:

100 Amazon EKS events x $1.60 (first 100 million events, priced per million)
+ 100 Amazon EKS events x $0.80 (next 100 million events, priced per million)

Total = $240 per month

Example 4: In the US East (N. Virginia) Region, in one month, GuardDuty VPC Flow Log and DNS query log analysis detects suspicious behavior, indicating the possible presence of malware, in two EC2 instances and one Amazon EKS workload running on another EC2 instance. Therefore, snapshots are made of all three attached EBS volumes, and volume replicas are scanned by the GuardDuty Malware Protection feature following the detection. The total volume of data across the three scanned attached EBS volumes is 540.75 GB. Additional EBS snapshot cost is pro-rated based on the scan time. The EBS snapshot is deleted within minutes after the scan is completed.

Total Charges:

540.75 GB file volume scanned x $0.03

Total = $16.22 per month

Example 5: In your Amazon RDS environment, you have 3 supported Aurora db.r6g.xlarge instances being scanned (for the entire month) for potential security threats in the US East (N. Virginia) region.

Total Charges:

3 supported RDS provisioned instances x 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) x $1.00 (per vCPU) x 1 month

Total = $12 per month

Example 6: In your Amazon RDS environment, you have 3 supported Aurora db.r6g.xlarge instances and 1 Aurora Serverless v2 instance (with 60 ACUs) being scanned (for the entire month) for potential security threats in the US East (N. Virginia) region.

Total Charges:

3 supported RDS provisioned instances x 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) x $1.00 (per vCPU) x 1 month
+ 1 supported Aurora Serverless v2 instance x 60 ACUs x $0.25 (per ACU) x 1 month

Total = $27 per month

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote

Explore Amazon GuardDuty features

GuardDuty is a threat detection service that provides you with an accurate and easy way to continuously monitor and protect your AWS accounts and workloads.

Learn more 
Sign up for a 30-day free trial

Try GuardDuty for 30 days at no cost. You will receive full access to GuardDuty features and its detection findings during the free trial.

Free trial 
Start building in the console

Get started building with GuardDuty in the AWS Management Console.

Sign in