Amazon GuardDuty pricing
Pricing overview
Amazon GuardDuty is a pay-as-you-go threat detection service that continuously monitors for malicious activity and anomalous behaviour to help protect your AWS accounts, workloads, and data. GuardDuty prices are based on the volume of service logs, events, workloads, or data analysed.
GuardDuty pricing tiers include foundational pricing, which is the default level of service coverage, as well as GuardDuty protection plan pricing. When you activate GuardDuty for the first time in an account, default GuardDuty threat detection coverage, as well as available protection plan coverage, will automatically be enabled. But, you can customise how any new account inherits different protection plans in GuardDuty.
With GuardDuty protection plans, you have the flexibility and choice of deciding which plans to turn on or off at any time. The default threat detection in GuardDuty cannot be disabled. This helps ensure that your environment is continuously monitored for potential security risks, even as you adapt your security strategy. Analysed service logs are filtered for cost optimisation and directly integrated with GuardDuty, which means you don't have to activate or pay for them separately.
Pricing varies by data source and AWS Region and is subject to change as new log sources are introduced, existing log sources are optimised to reduce cost, and log volumes increase and decrease with your varying workload-related activity on AWS. Consult the GuardDuty User Guide for Region-specific feature availability.
AWS Pricing Calculator
Calculate your Amazon GuardDuty and architecture costs in a single estimate.
Foundational threat detection pricing
To detect unauthorised and unexpected activity in your AWS environment, GuardDuty analyses and processes data from foundational data sources to detect anomalies involving AWS Identity and Access Management (IAM) access keys and Amazon Elastic Compute Cloud (Amazon EC2).
- AWS CloudTrail management event analysis: GuardDuty continuously analyses CloudTrail management events. Management events (also known as control plane) provide information about management operations that are performed on resources in your AWS account. CloudTrail management event analysis is charged per 1 million events per month and is prorated.
- Amazon Virtual Private Cloud (Amazon VPC) Flow Logs and DNS query log analysis: GuardDuty continuously analyses Amazon VPC Flow Logs and DNS query logs. VPC Flow Logs and DNS query log analysis is charged per gigabyte (GB) per month. Both VPC Flow Logs and DNS query log analyses are discounted with volume.
Pricing examples
GuardDuty protection plans
In addition to foundational log data sources, GuardDuty can use data from other AWS services in your AWS environment to monitor and analyse for potential security threats. These features will be automatically enabled for new GuardDuty accounts (except Runtime Monitoring), and it is recommended to have these protections enabled for accounts with these active AWS workloads. However, you can customise how new accounts inherit protection plans in GuardDuty. You can add protection plan coverage for all accounts or selected accounts. With all GuardDuty protection plans, you have the flexibility to turn plans on or off at any time.
Some features are not available in some Regions; if no pricing data appears for a specific feature, try changing any Region selector on the page to a different Region.
-
S3 Protection
-
EKS Protection
-
Runtime Monitoring
-
Malware Protection
-
Lambda Protection
-
GuardDuty monitors threats against your Amazon Simple Storage Service (Amazon S3) resources by analysing CloudTrail management events and CloudTrail S3 data events. When the GuardDuty S3 Protection feature is turned on, GuardDuty continuously analyses authenticated CloudTrail S3 data events, monitoring access and activity in your S3 buckets. CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted with volume.
Pricing example
-
Amazon Elastic Kubernetes Service (Amazon EKS) Protection in GuardDuty provides threat detection coverage to help you protect Amazon EKS clusters within your AWS environment.
When EKS Audit Log Monitoring is activated, GuardDuty continuously analyses EKS audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit log analysis is charged per 1 million audit logs per month, is prorated, and is discounted with volume.
GuardDuty also provides Runtime Monitoring protection for EKS workloads to analyse operating system–level behaviour, such as file access, network connections, and process execution activity. For information on the pricing for this feature, refer to the Runtime Monitoring tab.
Pricing tables
Pricing examples
-
GuardDuty offers Runtime Monitoring for EKS, Amazon Elastic Container Service (Amazon ECS), including deployments running on AWS Fargate, and Amazon EC2 workloads. When GuardDuty Runtime Monitoring is activated for a workload, GuardDuty begins collecting and analysing runtime events for suspicious or potentially malicious activity. GuardDuty Runtime Monitoring pricing is based on the number and size of protected workloads, measured in virtual CPUs (vCPUs).
- If GuardDuty EKS Runtime Monitoring or GuardDuty EC2 Runtime Monitoring (including Amazon ECS on Amazon EC2) is enabled for your account, you will not be charged for analysis of VPC Flow Logs from instances where the GuardDuty agent is deployed and active. The runtime security agent provides us with similar (and more contextual) network telemetry data. Hence, to avoid double charging customers, we will not charge for VPC Flow Logs from Amazon EC2 instances where the agent is installed.
- If you configure GuardDuty Runtime Monitoring to automatically deploy the GuardDuty security agent, this will create VPC endpoints in VPCs used to run your monitored workloads.
- You will not be charged for associated networking bandwidth or hourly costs for event delivery whether GuardDuty manages the VPC endpoints or you choose to manage them yourself.
- vCPUs per month for an instance = (total hours a supported provisioned instance or task being monitored is active) * number of vCPUs on the instance or task / (number of hours in a month)
Pricing examples
-
GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection enables GuardDuty to detect the malware that may be the source of this compromise.
Malware Protection for EC2:GuardDuty offers fully managed malware scanning for Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads, and for Amazon S3 buckets.
When the GuardDuty Malware Protection feature is turned on for EBS data volume scanning, EC2 instance or container workloads with detected behaviour indicative of malware will have a replica of their attached Amazon Elastic Block Store (Amazon EBS) volumes scanned for possible malware. The charge for GuardDuty Malware Protection is based on the total and prorated GB volume of Amazon EBS data scanned each month. Configurable guardrails that you set up can help you control spend, such as setting up notifications when usage exceeds a specified limit and the ability to control which EC2 instances to scan using tags. Also, attached EBS volumes over 2 TB (2,048 GB) are not scanned.
You have the option to use GuardDuty-initiated malware scanning, or you can invoke On-demand malware scanning. There is no free trial period for Malware Protection On-demand Scanning.
EBS snapshots are required for GuardDuty Malware Protection for EC2 and are priced separately from GuardDuty Malware Protection for EC2. See Amazon EBS pricing for details.
Malware Protection for S3:
GuardDuty offers fully managed malware scanning for newly uploaded objects in your selected Amazon Simple Storage Service (Amazon S3) buckets.
After you configure an S3 bucket for malware protection, GuardDuty automatically scans newly uploaded files and, if malware is detected, generates a security finding and an Amazon EventBridge notification with details about the malware, allowing for integration with existing security event management or workflow systems. You can configure workflows to automatically quarantine malware by moving the object to an isolated bucket in your account, or use object tags to add the disposition of the scan result, allowing to better identify and categorise the scanned objects based on tags.
S3 object scanning costs are based on the GB volume of the objects scanned and number of objects evaluated per month. Amazon S3 APIs are required for Malware Protection for S3 and are priced separately. See Amazon S3 pricing for details.
You do not need to have the GuardDuty service enabled to enable GuardDuty Malware Protection for Amazon S3.
* Effective February 1, 2025, we reduced the price for the data scanned dimension of GuardDuty Malware Protection for Amazon S3 by 85%. In EU (Germany), for example, the price decreased from EUR 0.58 to EUR 0.09 per GB scanned. This reduction reflects improvements in our scanning infrastructure and data processing efficiencies, enabling more cost-effective protection for applications with untrusted uploads. The price for objects evaluated remains unchanged.
Pricing example
-
GuardDuty Lambda Protection continuously monitors network activity logs generated from the execution of AWS Lambda functions to detect threats to Lambda, such as functions maliciously repurposed for unauthorised cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.
Note that expansion into additional forms of network activity monitoring will increase the volume of data that GuardDuty processes for Lambda Protection, and thus will increase the cost of the feature. Accordingly, AWS will provide Lambda Protection customers with notice of additional network activity monitoring at least 30 days before their release.
Pricing example
Additional pricing resources
Easily calculate your monthly costs with AWS
Contact AWS specialists to get a personalised quote