Pricing overview

Amazon GuardDuty is a pay-as-you-go threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, and data. GuardDuty prices are based on the volume of service logs, events, workloads, or data analyzed.

GuardDuty pricing tiers include foundational pricing, which is the default level of service coverage, as well as GuardDuty protection plan pricing. When you activate GuardDuty for the first time in an account, default GuardDuty threat detection coverage, as well as available protection plan coverage, will automatically be enabled. But, you can customize how any new account inherits different protection plans in GuardDuty, except Runtime Monitoring—every account will have to manually enable the Runtime Monitoring feature in the console.

With GuardDuty protection plans, you have the flexibility and choice of deciding which plans to turn on or off at any time. The default threat detection in GuardDuty cannot be disabled, however, in active GuardDuty accounts.

Analyzed service logs are filtered for cost optimization and directly integrated with GuardDuty, which means you don't have to activate or pay for them separately.

Pricing varies by data source and AWS Region and is subject to change as new log sources are introduced, existing log sources are optimized to reduce cost, and log volumes increase and decrease with your varying workload-related activity on AWS. Consult the GuardDuty User Guide for Region-specific feature availability.

AWS Pricing Calculator

AWS Pricing Calculator

Calculate your Amazon GuardDuty and architecture costs in a single estimate.

Free Trial

In supported Regions, AWS account holders who have not yet tried GuardDuty can take advantage of a free 30-day trial to access all of its features and protection plans. This free trial applies to each new AWS account in each Region. Additionally, even if you are currently using or have previously used GuardDuty, you can still receive a new 30-day trial for any additional GuardDuty protection plans you enable, provided you haven’t enabled them yet. The GuardDuty console makes budget planning easy by displaying the number of trial days remaining and an estimate of your average daily costs based on data volume.

*The only exception is Malware Protection, which has a separate free tier available. Malware Protection for Amazon EBS is included in the GuardDuty free trial, while Malware Protection for Amazon S3 has a free tier without a trial period.

Foundational threat detection pricing

To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes and processes data from foundational data sources to detect anomalies involving AWS Identity and Access Management (IAM) access keys and Amazon Elastic Compute Cloud (Amazon EC2). 

  • AWS CloudTrail management event analysis: GuardDuty continuously analyzes CloudTrail management events. Management events (also known as control plane) provide information about management operations that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
  • Amazon Virtual Private Cloud (Amazon VPC) Flow Log and DNS query log analysis: GuardDuty continuously analyzes Amazon VPC Flow Logs and DNS query logs. VPC Flow Log and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Log and DNS query log analyses are discounted with volume.

 

GuardDuty comes with a 30-day trial on the AWS Free Tier for accounts that have never enabled the service before. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 
 
 
 

Pricing examples

CloudTrail management event analysis

In your environment, in one month, GuardDuty processes 40,000,000 CloudTrail management events in the US East (N. Virginia) Region.

Total charges:

40 management events * $4.00 (40 million management events, priced per million)

Total = $160 per month

VPC Flow Log and DNS query log analysis

In your environment, in one month, GuardDuty processes 2,000 GB of VPC Flow Logs and 1,000 GB of DNS query logs, for a total volume of 3,000 GB of logs.

Total charges:

   500 GB logs * $1.00 (first 500 GB)
+ 2,000 GB logs * $0.50 (next 2,000 GB)
+ 500 GB logs * $0.25 (last 500 GB)

Total = $1,625 per month

GuardDuty protection plans

In addition to foundational log data sources, GuardDuty can use data from other AWS services in your AWS environment to monitor and analyze for potential security threats. These features will be automatically enabled for new GuardDuty accounts (except Runtime Monitoring), and it is recommended to have these protections enabled for accounts with these active AWS workloads. However, you can customize how new accounts inherit protection plans in GuardDuty. You can add protection plan coverage for all accounts or selected accounts. With all GuardDuty protection plans, you have the flexibility to turn plans on or off at any time.

Some features are not available in some Regions; if no pricing data appears for a specific feature, try changing any Region selector on the page to a different Region.

 

  • GuardDuty monitors threats against your Amazon Simple Storage Service (Amazon S3) resources by analyzing CloudTrail management events and CloudTrail S3 data events. When the GuardDuty S3 Protection feature is turned on, GuardDuty continuously analyzes authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.

    New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source. 

    Get started »

     

    Pricing example

    CloudTrail S3 data event analysis

    In your environment, in one month, GuardDuty processes 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) Region. 

    Total charges:

       500 Amazon S3 data events * $0.80 (first 500 million data events, priced per million)
    + 500 Amazon S3 data events * $0.40 (next 500 million data events, priced per million)

    Total = $600 per month

  • Amazon Elastic Kubernetes Service (Amazon EKS) Protection in GuardDuty provides threat detection coverage to help you protect Amazon EKS clusters within your AWS environment.
     
    When EKS Audit Log Monitoring is activated, GuardDuty continuously analyzes EKS audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.
     
    GuardDuty also provides Runtime Monitoring protection for EKS workloads to analyze operating system–level behavior, such as file access, network connections, and process execution activity. For information on the pricing for this feature, refer to the Runtime Monitoring tab.
     
    New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier.  During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
     

    Pricing tables

    Pricing examples

    Amazon EKS audit logs

    In your EKS container environment, in one month, GuardDuty processes 200,000,000 EKS events in the US East (N. Virginia) Region.

    Total charges:

       100 Amazon EKS events * $1.60 (first 100 million events, priced per million)
    + 100 Amazon EKS events * $0.80 (next 100 million events, priced per million)

    Total = $240 per month

  • GuardDuty offers Runtime Monitoring for EKS, Amazon Elastic Container Service (Amazon ECS), including deployments running on AWS Fargate, and Amazon EC2 workloads. When GuardDuty Runtime Monitoring is activated for a workload, GuardDuty begins collecting and analyzing runtime events for suspicious or potentially malicious activity. GuardDuty Runtime Monitoring pricing is based on the number and size of protected workloads, measured in virtual CPUs (vCPUs).

    • If GuardDuty EKS Runtime Monitoring or GuardDuty EC2 Runtime Monitoring (including Amazon ECS on Amazon EC2) is enabled for your account, you will not be charged for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active. The runtime security agent provides us with similar (and more contextual) network telemetry data. Hence, to avoid double charging customers, we will not charge for VPC Flow Logs from Amazon EC2 instances where the agent is installed.
    • If you configure GuardDuty Runtime Monitoring to automatically deploy the GuardDuty security agent, this will create VPC endpoints in VPCs used to run your monitored workloads.
    • You will not be charged for associated networking bandwidth costs for event delivery.

    New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier.  During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.

    • vCPUs per month for an instance = (total hours a supported provisioned instance or task being monitored is active) * number of vCPUs on the instance or task / (number of hours in a month)

    Pricing examples

    EKS Runtime Monitoring for four EKS workloads

    You have four m7g.xlarge EKS workloads running and being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 16 vCPUs being monitored. GuardDuty continues to analyze and generate security findings based on VPC Flow Logs from EKS EC2 nodes in the account, resulting in 500 GB of VPC Flow Logs.

    Total charges:

                16 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
            + 500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)

    Total = $24 per month

    EKS Runtime Monitoring for 200 EKS workloads

    You have 200 m7g.xlarge EKS workloads running and being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 800 vCPUs being monitored. GuardDuty continues to analyze and generate security findings based on VPC Flow Logs from EKS EC2 nodes in the account, resulting in 2,000 GB of VPC Flow Logs.

    Total charges:

                500 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
            + 300 vCPUs * $0.75 per vCPU (for next 4,500 vCPUs)
            + 500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)
            + 1,500 GB VPC Flow Logs (no charge for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active)

    Total = $975 per month

    ECS Runtime Monitoring for 100 ECS workloads running on Fargate

    You have 100 ECS workloads (tasks) running on Fargate and being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, and it results in 600 vCPUs being monitored.

    Total charges:

                500 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
            + 100 vCPUs * $0.75 per vCPU (for next 4,500 vCPUs)

    Total = $825 per month

    Runtime Monitoring for 100 EC2 workloads and 200 ECS workloads running on EC2

    You have 100 r6g.xlarge EC2 workloads running being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 400 vCPUs being monitored. Additionally, you have 200 m7g.xlarge ECS workloads running on EC2 being monitored for the entire month for runtime security threats in the US East (N. Virginia) Region, resulting in 800 vCPUs being monitored.

    Total charges:

                   500 vCPUs * $1.50 per vCPU (for first 500 vCPUs)
                + 700 vCPUs * $0.75 per vCPU (for next 4,500 vCPUs)

    Total = $1,275 per month

  • GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection enables GuardDuty to detect the malware that may be the source of this compromise.

    Malware Protection for EC2:

    GuardDuty offers fully managed malware scanning for Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads, and for Amazon S3 buckets.

    When the GuardDuty Malware Protection feature is turned on for EBS data volume scanning, EC2 instance or container workloads with detected behavior indicative of malware will have a replica of their attached Amazon Elastic Block Store (Amazon EBS) volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which EC2 instances to scan using tags. Also, attached EBS volumes over 2 TB (2,048 GB) are not scanned.

    You have the option to use GuardDuty-initiated malware scanning, or you can invoke On-demand malware scanning. There is no free trial period for Malware Protection On-demand Scanning.

    EBS snapshots are required for GuardDuty Malware Protection for EC2 and are priced separately from GuardDuty Malware Protection for EC2. See Amazon EBS pricing for details.

    Malware Protection for S3:

    GuardDuty offers fully managed malware scanning for newly uploaded objects in your selected Amazon Simple Storage Service (Amazon S3) buckets.

    After you configure an S3 bucket for malware protection, GuardDuty automatically scans newly uploaded files and, if malware is detected, generates a security finding and an Amazon EventBridge notification with details about the malware, allowing for integration with existing security event management or workflow systems. You can configure workflows to automatically quarantine malware by moving the object to an isolated bucket in your account, or use object tags to add the disposition of the scan result, allowing to better identify and categorize the scanned objects based on tags.

    S3 object scanning costs are based on the GB volume of the objects scanned and number of objects evaluated per month. Amazon S3 APIs are required for Malware Protection for S3 and are priced separately. See Amazon S3 pricing for details.

    You do not need to have the GuardDuty service enabled to enable GuardDuty Malware Protection for Amazon S3.

    The Malware Protection for Amazon S3 feature comes with a 12-month Free Tier, which includes 1,000 free requests and 1GB free each month, pursuant to the following conditions:

    • New AWS accounts will receive 1,000 requests and 1GB free each month for the first 12 months of account creation. 
    • Existing AWS accounts will be eligible to participate in the Free Tier until June 11, 2025. During this period, accounts with this feature enabled will receive 1,000 requests and 1GB free each month.

    This Free Tier applies to every account in every Region where the feature is enabled. After the Free Tier period concludes, the standard pricing outlined below applies.

    Get started »

    Pricing example

    Malware detection from EBS volume data scanned

    In the US East (N. Virginia) Region, in one month, GuardDuty VPC Flow Log and DNS query log analysis detects suspicious behavior, indicating the possible presence of malware, in two EC2 instances and one EKS workload running on another EC2 instance. Therefore, snapshots are made of all three attached EBS volumes, and volume replicas are scanned by the GuardDuty Malware Protection feature following the detection. The total volume of data across the three scanned attached EBS volumes is 540.75 GB. Additional EBS snapshot cost is prorated based on the scan time. The EBS snapshot is deleted within minutes after the scan is completed.

    Total charges:

    540.75 GB file volume scanned * $0.03 per GB

    Total = $16.22 per month

    Malware detection from Amazon S3 object scan analysis

    In one month, GuardDuty evaluates 4,000 file uploads into your designated S3 bucket(s) for the presence of malware. The file volume amounts to 350 GB.

    Total charges:

       350 GB * $.60 per GB
    + 4,000/1,000 * $0.215

    Total = $210.86 per month

  • GuardDuty RDS Protection analyzes and profiles Amazon Relational Database Service (Amazon RDS) login activity for potential access threats to supported Amazon Aurora and Amazon RDS databases. For a full list of supported databases and versions, visit GuardDuty RDS Protection.

    When the GuardDuty RDS Protection feature is turned on, GuardDuty will immediately begin profiling and monitoring login activity to the Aurora databases in your AWS account for potential threats. The charge for GuardDuty RDS Protection is based on the number of protected RDS provisioned instance vCPUs per month. For Aurora Serverless v2 instances, the charge will be based on the number of protected Aurora Serverless v2 instance Aurora capacity units (ACUs) per month.

    Note that expansion into additional database engine login monitoring will increase the volume of login events that GuardDuty processes for RDS Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide RDS Protection customers with notice of additional login activity monitoring at least 30 days before their release.

    New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier.  During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.

    Get started » 

    • vCPUs per month for an instance = (total hours a supported provisioned instance being monitored is active) * number of vCPUs on the instance / (number of hours in a month)
    • ACUs per month for an instance = (total hours a supported Aurora Serverless v2 instance being scanned is active) * number of ACUs on the instance / (number of hours in a month)
    • Amazon RDS instances support multithreading, which enables multiple threads to run concurrently on a single CPU core. Each thread is represented as a vCPU on the instance.
    • ACU is the unit of measure for Aurora Serverless v2. Aurora Serverless v2 capacity isn't tied to the DB instance classes that you use for provisioned clusters, but rather you specify the database capacity range for Aurora Serverless v2 using this unit of measure.

    Pricing examples

    RDS event analysis »

    In your RDS environment, you have three supported Aurora db.r6g.xlarge instances being scanned (for the entire month) for potential security threats in the US East (N. Virginia) Region.

    Total charges:

    3 supported RDS provisioned instances * 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) * $1.00 (per vCPU) * 1 month

    Total = $12 per month

    RDS event analysis with Aurora Serverless v2 instance

    In your RDS environment, you have three supported Aurora db.r6g.xlarge instances and one Aurora Serverless v2 instance (with 60 ACUs) being scanned (for the entire month) for potential security threats in the US East (N. Virginia) Region.

    Total charges:

       3 supported RDS provisioned instances * 4 vCPUs (db.r6g.xlarge instances have 4 vCPUs each) * $1.00 (per vCPU) * 1 month
    + 1 supported Aurora Serverless v2 instance * 60 ACUs x $0.25 (per ACU) * 1 month

    Total = $27 per month

  • GuardDuty Lambda Protection continuously monitors network activity logs generated from the execution of AWS Lambda functions to detect threats to Lambda, such as functions maliciously repurposed for unauthorized cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.

    Note that expansion into additional forms of network activity monitoring will increase the volume of data that GuardDuty processes for Lambda Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide Lambda Protection customers with notice of additional network activity monitoring at least 30 days before their release.

    New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier.  During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.

    Get started »

    Pricing example

    VPC Flow Logs generated from the execution of Lambda functions

    In your environment, in one month, GuardDuty processes 100 GB of network activity logs in the form of VPC Flow Logs generated from execution of Lambda functions in the US East (N. Virginia) Region.

    Total charges:

    100 GB of VPC Flow Logs from Lambda functions * $1.00 (first 500 GB)

    Total = $100 per month

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote