Amazon GuardDuty pricing

• vCPUs per month for an instance = (total hours a supported RDS provisioned instance being scanned is active) x Number of vCPUs on the instance / (number of hours in a month)
• ACUs per month for an instance = (total hours a supported Aurora Serverless v2 instance being scanned is active) x Number of ACUs on the instance / (number of hours in a month)
• Amazon RDS instances support multithreading, which enables multiple threads to run concurrently on a single CPU core. Each thread is represented as a virtual CPU (vCPU) on the instance.
• ACU is the unit of measure for Aurora Serverless v2. Aurora Serverless v2 capacity isn't tied to the DB instance classes that you use for provisioned clusters, but rather you specify the database capacity range for Aurora Serverless v2 using this unit of measure.

Example 1: In your environment, in one month, GuardDuty processes 40,000,000 AWS CloudTrail management events and 200,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 2,000 GB of VPC Flow Logs and 1,000 GB of DNS query logs are processed, for a total volume of 3,000 GB of logs.

Total Charges:

40 management events x $4.00 (40 million management events, priced per million)
+ 200 Amazon S3 data events x $0.80 (200 million data events, priced per million)
+ 500 GB logs x $1.00 (first 500 GB)
+ 2,000 GB logs x $0.50 (next 2,000 GB)
+ 500 GB logs x $0.25 (last 500 GB)

Total = $1,945 per month

Example 2: In your environment, in one month, GuardDuty processes 5,000,000 AWS CloudTrail management events and 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 200 GB of VPC Flow Logs and 50 GB of DNS query logs are processed, for a total volume of 250 GB of logs.

Total Charges:

Five management events x $4.00 (five million management events, priced per million)
+ 500 Amazon S3 data events x $0.80 (first 500 million data events, priced per million)
+ 500 Amazon S3 data events x $0.40 (next 500 million data events, priced per million)
+ 250 GB logs x $1.00 (first 500 GB)

Total = $870 per month

Example 3: In your Amazon EKS container environment, in one month, GuardDuty processes 200,000,000 Amazon EKS events in the US East (N. Virginia) region.

Total Charges:

100 Amazon EKS events x $1.60 (first 100 million events, priced per million)
+ 100 Amazon EKS events x $0.80 (next 100 million events, priced per million)

Total = $240 per month

Example 4: In the US East (N. Virginia) Region, in one month, GuardDuty VPC Flow Log and DNS query log analysis detects suspicious behavior, indicating the possible presence of malware, in two EC2 instances and one Amazon EKS workload running on another EC2 instance. Therefore, snapshots are made of all three attached EBS volumes, and volume replicas are scanned by the GuardDuty Malware Protection feature following the detection. The total volume of data across the three scanned attached EBS volumes is 540.75 GB. Additional EBS snapshot cost is pro-rated based on the scan time. The EBS snapshot is deleted within minutes after the scan is completed.

Total Charges:

540.75 GB file volume scanned x $0.03

Total = $16.22 per month

Example 5: In your Amazon RDS environment, you have 3 supported Aurora db.r6g.xlarge instances being scanned (for the entire month) for potential security threats in the US East (N. Virginia) region.

Total Charges:

3 supported RDS provisioned instances x 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) x $1.00 (per vCPU) x 1 month

Total = $12 per month

Example 6: In your Amazon RDS environment, you have 3 supported Aurora db.r6g.xlarge instances and 1 Aurora Serverless v2 instance (with 60 ACUs) being scanned (for the entire month) for potential security threats in the US East (N. Virginia) region.

Total Charges:

3 supported RDS provisioned instances x 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) x $1.00 (per vCPU) x 1 month
+ 1 supported Aurora Serverless v2 instance x 60 ACUs x $0.25 (per ACU) x 1 month

Total = $27 per month