AWS GuardDuty is a managed threat detection service that continuously monitors your AWS accounts and workloads for malicious activity. With pricing based on the volume of data analyzed across multiple sources, GuardDuty provides intelligent threat detection without requiring you to deploy or manage any security infrastructure.
TL;DR: GuardDuty charges $4.00 per million CloudTrail management events (first 500M), $1.00-$1.50 per GB for VPC Flow Log analysis, and $1.00 per million DNS queries. A 30-day free trial is included for every account. Enable only the protection plans you need per account to control costs.
CloudTrail Event Analysis
| Volume Tier | Price per Million Events |
|---|---|
| First 500 million events/month | $4.00 |
| Next 2 billion events/month | $2.00 |
| Next 7.5 billion events/month | $1.00 |
| Over 10 billion events/month | $0.50 |
CloudTrail management event analysis is the foundation of GuardDuty. It monitors API calls across your AWS account to detect unauthorized access, unusual API patterns, and potential credential compromise. GuardDuty automatically analyzes CloudTrail management events at no additional CloudTrail cost since it reads directly from the service.
For most accounts generating under 100 million events per month, the CloudTrail analysis cost stays below $400.
VPC Flow Log Analysis
| Volume Tier | Price per GB |
|---|---|
| First 500 GB/month | $1.50 |
| Next 2,000 GB/month | $0.75 |
| Next 7,500 GB/month | $0.25 |
| Over 10,000 GB/month | $0.15 |
GuardDuty analyzes VPC Flow Logs to identify suspicious network activity including port scanning, communication with known malicious IPs, and data exfiltration patterns. You do not need to enable VPC Flow Logs separately in your account since GuardDuty uses an independent, duplicated stream of flow log data.
DNS Query Analysis
| Component | Price |
|---|---|
| DNS query monitoring | $1.00 per million queries |
DNS query analysis detects instances communicating with command-and-control servers or domains associated with cryptocurrency mining and other threats. This source is automatically included when you enable GuardDuty.
S3 Protection
| Volume Tier | Price per Million Events |
|---|---|
| First 500 million data events/month | $0.80 |
| Next 2 billion data events/month | $0.40 |
| Next 7.5 billion data events/month | $0.16 |
| Over 10 billion data events/month | $0.08 |
S3 Protection monitors CloudTrail S3 data events (GetObject, PutObject, DeleteObject) to detect suspicious access patterns, anomalous data retrieval, and potential exfiltration from your buckets. This is an optional add-on that can be enabled per account.
Additional Protection Plans
| Protection Plan | Pricing Model |
|---|---|
| EKS Audit Log Monitoring | $1.50 per million audit log events (first 100M) |
| EKS Runtime Monitoring | $1.50 per vCPU/month |
| Lambda Network Activity Monitoring | $1.00 per million Lambda invocations (first 10M) |
| RDS Login Activity Monitoring | $0.60 per million RDS login events |
| Malware Protection for EC2 | $0.05 per GB scanned (first 500 GB) |
| Malware Protection for S3 | $0.60 per GB scanned |
Each protection plan is independently toggleable. EKS protection monitors Kubernetes audit logs and container runtime behavior. Lambda monitoring detects functions communicating with malicious endpoints. RDS protection identifies brute force login attempts against Aurora and RDS databases.
Free Trial and Free Tier
GuardDuty offers a 30-day free trial for each account in each Region when you first enable the service. During the trial, all enabled protection plans are available at no charge. The GuardDuty console displays estimated costs during the trial period, helping you forecast post-trial spending.
There is no permanent free tier after the trial period ends. However, you can disable specific protection plans (S3, EKS, Lambda, RDS) while keeping the foundational CloudTrail and VPC analysis active if you need to reduce costs.
Real-World Cost Examples
| Scenario | Monthly Data Volume | Estimated Monthly Cost |
|---|---|---|
| Small startup (1 account) | 10M CloudTrail events, 50 GB flow logs | $115 |
| Mid-size SaaS (5 accounts) | 200M events, 500 GB flow logs, S3 protection | $1,950 |
| Enterprise (20 accounts) | 2B events, 5 TB flow logs, all protections | $8,500 |
| Large organization (100 accounts) | 10B+ events, 20 TB+ flow logs | $25,000+ |
Cost Optimization Tips
1. Enable Only Needed Protection Plans
GuardDuty charges separately for each protection plan. If you do not run EKS clusters, disable EKS protection. If your Lambda functions do not process sensitive data, skip Lambda monitoring. Review each plan per account to avoid paying for unused coverage.
2. Use Multi-Account Management
Consolidate GuardDuty under AWS Organizations with a delegated administrator account. This provides centralized visibility and lets you apply protection plans selectively across member accounts rather than enabling everything everywhere.
3. Monitor Trial Usage Estimates
During the 30-day free trial, regularly check the Usage tab in the GuardDuty console. AWS displays projected costs by data source, letting you identify which sources drive the most spend before you start paying.
4. Reduce Noisy Data Sources
High-volume S3 buckets with frequent read operations can generate millions of data events. Consider whether S3 protection is necessary for logging or analytics buckets that have predictable access patterns and low security risk.
5. Leverage Volume Pricing Tiers
GuardDuty offers significant discounts at higher volumes. Consolidating accounts under a single payer does not aggregate tiers across accounts, but within a single account, higher volumes automatically reduce per-unit costs.
Related Guides
FAQ
Does GuardDuty require CloudTrail to be enabled?
No. GuardDuty independently accesses CloudTrail management events without requiring you to configure a separate trail. You do not pay CloudTrail charges for the events GuardDuty analyzes.
Can I enable GuardDuty in specific Regions only?
Yes. GuardDuty is a Regional service, so you only pay for Regions where it is enabled. However, AWS recommends enabling it in all Regions to detect unauthorized activity in Regions you do not normally use.
How does the 30-day free trial work with multiple accounts?
Each account gets its own 30-day free trial when GuardDuty is first enabled. Adding a new member account to an existing Organizations setup triggers a separate trial for that account.
Lower Your GuardDuty Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your GuardDuty costs. Through group buying power, Wring negotiates better rates so you pay less per million events analyzed.
