Pricing overview
Amazon GuardDuty is a pay-as-you-go threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, and data. GuardDuty prices are based on the volume of service logs, events, workloads, or data analyzed.
GuardDuty pricing tiers include foundational pricing, which is the default level of service coverage, as well as GuardDuty protection plan pricing. When you activate GuardDuty for the first time in an account, default GuardDuty threat detection coverage, as well as available protection plan coverage, will automatically be enabled. But, you can customize how any new account inherits different protection plans in GuardDuty.
With GuardDuty protection plans, you have the flexibility and choice of deciding which plans to turn on or off at any time. The default threat detection in GuardDuty cannot be disabled. This helps ensure that your environment is continuously monitored for potential security risks, even as you adapt your security strategy.
Analyzed service logs are filtered for cost optimization and directly integrated with GuardDuty, which means you don't have to activate or pay for them separately.
Pricing varies by data source and AWS Region and is subject to change as new log sources are introduced, existing log sources are optimized to reduce cost, and log volumes increase and decrease with your varying workload-related activity on AWS. Consult the GuardDuty User Guide for Region-specific feature availability.
AWS Pricing Calculator
Calculate your Amazon GuardDuty and architecture costs in a single estimate.
Free Trial
In supported Regions, AWS account holders who have not yet tried GuardDuty can take advantage of a free 30-day trial to access all of its features and protection plans. This free trial applies to each new AWS account in each Region. Additionally, even if you are currently using or have previously used GuardDuty, you can still receive a new 30-day trial for any additional GuardDuty protection plans you enable, provided you haven’t enabled them yet. The GuardDuty console makes budget planning easy by displaying the number of trial days remaining and an estimate of your average daily costs based on data volume.
*The only exception is Malware Protection, which has a separate free tier available. Malware Protection for Amazon EBS is included in the GuardDuty free trial, while Malware Protection for Amazon S3 has a free tier without a trial period.
Foundational threat detection pricing
To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes and processes data from foundational data sources to detect anomalies involving AWS Identity and Access Management (IAM) access keys and Amazon Elastic Compute Cloud (Amazon EC2).
- AWS CloudTrail management event analysis: GuardDuty continuously analyzes CloudTrail management events. Management events (also known as control plane) provide information about management operations that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
- Amazon Virtual Private Cloud (Amazon VPC) Flow Logs and DNS query log analysis: GuardDuty continuously analyzes Amazon VPC Flow Logs and DNS query logs. VPC Flow Logs and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Logs and DNS query log analyses are discounted with volume.
GuardDuty comes with a 30-day trial on the AWS Free Tier for accounts that have never enabled the service before. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
Pricing examples
GuardDuty protection plans
In addition to foundational log data sources, GuardDuty can use data from other AWS services in your AWS environment to monitor and analyze for potential security threats. These features will be automatically enabled for new GuardDuty accounts (except Runtime Monitoring), and it is recommended to have these protections enabled for accounts with these active AWS workloads. However, you can customize how new accounts inherit protection plans in GuardDuty. You can add protection plan coverage for all accounts or selected accounts. With all GuardDuty protection plans, you have the flexibility to turn plans on or off at any time.
Some features are not available in some Regions; if no pricing data appears for a specific feature, try changing any Region selector on the page to a different Region.
-
S3 Protection
-
EKS Protection
-
Runtime Monitoring
-
Malware Protection
-
RDS Protection
-
Lambda Protection
-
GuardDuty monitors threats against your Amazon Simple Storage Service (Amazon S3) resources by analyzing CloudTrail management events and CloudTrail S3 data events. When the GuardDuty S3 Protection feature is turned on, GuardDuty continuously analyzes authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.
New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
Pricing example
-
Amazon Elastic Kubernetes Service (Amazon EKS) Protection in GuardDuty provides threat detection coverage to help you protect Amazon EKS clusters within your AWS environment.
When EKS Audit Log Monitoring is activated, GuardDuty continuously analyzes EKS audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.
GuardDuty also provides Runtime Monitoring protection for EKS workloads to analyze operating system–level behavior, such as file access, network connections, and process execution activity. For information on the pricing for this feature, refer to the Runtime Monitoring tab.
New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.Pricing tables
Pricing examples
-
GuardDuty offers Runtime Monitoring for EKS, Amazon Elastic Container Service (Amazon ECS), including deployments running on AWS Fargate, and Amazon EC2 workloads. When GuardDuty Runtime Monitoring is activated for a workload, GuardDuty begins collecting and analyzing runtime events for suspicious or potentially malicious activity. GuardDuty Runtime Monitoring pricing is based on the number and size of protected workloads, measured in virtual CPUs (vCPUs).
- If GuardDuty EKS Runtime Monitoring or GuardDuty EC2 Runtime Monitoring (including Amazon ECS on Amazon EC2) is enabled for your account, you will not be charged for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active. The runtime security agent provides us with similar (and more contextual) network telemetry data. Hence, to avoid double charging customers, we will not charge for VPC Flow Logs from Amazon EC2 instances where the agent is installed.
- If you configure GuardDuty Runtime Monitoring to automatically deploy the GuardDuty security agent, this will create VPC endpoints in VPCs used to run your monitored workloads.
- You will not be charged for associated networking bandwidth costs for event delivery.
New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
- vCPUs per month for an instance = (total hours a supported provisioned instance or task being monitored is active) * number of vCPUs on the instance or task / (number of hours in a month)
Pricing examples
-
GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection enables GuardDuty to detect the malware that may be the source of this compromise.
Malware Protection for EC2:GuardDuty offers fully managed malware scanning for Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads, and for Amazon S3 buckets.
When the GuardDuty Malware Protection feature is turned on for EBS data volume scanning, EC2 instance or container workloads with detected behavior indicative of malware will have a replica of their attached Amazon Elastic Block Store (Amazon EBS) volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which EC2 instances to scan using tags. Also, attached EBS volumes over 2 TB (2,048 GB) are not scanned.
You have the option to use GuardDuty-initiated malware scanning, or you can invoke On-demand malware scanning. There is no free trial period for Malware Protection On-demand Scanning.
EBS snapshots are required for GuardDuty Malware Protection for EC2 and are priced separately from GuardDuty Malware Protection for EC2. See Amazon EBS pricing for details.
Malware Protection for S3:
GuardDuty offers fully managed malware scanning for newly uploaded objects in your selected Amazon Simple Storage Service (Amazon S3) buckets.
After you configure an S3 bucket for malware protection, GuardDuty automatically scans newly uploaded files and, if malware is detected, generates a security finding and an Amazon EventBridge notification with details about the malware, allowing for integration with existing security event management or workflow systems. You can configure workflows to automatically quarantine malware by moving the object to an isolated bucket in your account, or use object tags to add the disposition of the scan result, allowing to better identify and categorize the scanned objects based on tags.
S3 object scanning costs are based on the GB volume of the objects scanned and number of objects evaluated per month. Amazon S3 APIs are required for Malware Protection for S3 and are priced separately. See Amazon S3 pricing for details.
You do not need to have the GuardDuty service enabled to enable GuardDuty Malware Protection for Amazon S3.
The Malware Protection for Amazon S3 feature comes with a 12-month Free Tier, which includes 1,000 free requests and 1GB free each month, pursuant to the following conditions:- New AWS accounts will receive 1,000 requests and 1GB free each month for the first 12 months of account creation.
- Existing AWS accounts will be eligible to participate in the Free Tier until June 11, 2025. During this period, accounts with this feature enabled will receive 1,000 requests and 1GB free each month.
This Free Tier applies to every account in every Region where the feature is enabled. After the Free Tier period concludes, the standard pricing outlined below applies.
Pricing example
-
GuardDuty RDS Protection analyzes and profiles Amazon Relational Database Service (Amazon RDS) login activity for potential access threats to supported Amazon Aurora and Amazon RDS databases. For a full list of supported databases and versions, visit GuardDuty RDS Protection.
When the GuardDuty RDS Protection feature is turned on, GuardDuty will immediately begin profiling and monitoring login activity to the Aurora databases in your AWS account for potential threats. The charge for GuardDuty RDS Protection is based on the number of protected RDS provisioned instance vCPUs per month. For Aurora Serverless v2 instances, the charge will be based on the number of protected Aurora Serverless v2 instance Aurora capacity units (ACUs) per month.
Note that expansion into additional database engine login monitoring will increase the volume of login events that GuardDuty processes for RDS Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide RDS Protection customers with notice of additional login activity monitoring at least 30 days before their release.
New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
- vCPUs per month for an instance = (total hours a supported provisioned instance being monitored is active) * number of vCPUs on the instance / (number of hours in a month)
- ACUs per month for an instance = (total hours a supported Aurora Serverless v2 instance being scanned is active) * number of ACUs on the instance / (number of hours in a month)
- Amazon RDS instances support multithreading, which enables multiple threads to run concurrently on a single CPU core. Each thread is represented as a vCPU on the instance.
- ACU is the unit of measure for Aurora Serverless v2. Aurora Serverless v2 capacity isn't tied to the DB instance classes that you use for provisioned clusters, but rather you specify the database capacity range for Aurora Serverless v2 using this unit of measure.
Pricing examples
-
GuardDuty Lambda Protection continuously monitors network activity logs generated from the execution of AWS Lambda functions to detect threats to Lambda, such as functions maliciously repurposed for unauthorized cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.
Note that expansion into additional forms of network activity monitoring will increase the volume of data that GuardDuty processes for Lambda Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide Lambda Protection customers with notice of additional network activity monitoring at least 30 days before their release.
New and existing GuardDuty account holders who have not yet enabled a GuardDuty feature can try it 30 days at no cost on the AWS Free Tier. During the free trial period and thereafter, you can always monitor your estimated monthly spend on the GuardDuty console usage page, broken down by data source.
Pricing example
Additional pricing resources
Easily calculate your monthly costs with AWS
Contact AWS specialists to get a personalized quote