Amazon GuardDuty pricing is one of the more confusing threat detection pricing models in AWS. You've got 7 protection plans, each with a different billing metric (events, gigabytes, vCPUs, scans), tiered volume discounts on some but not others, and a foundational layer you can't turn off. The official pricing page runs close to 5,000 words of dense tables. Community forums are full of users reporting bill shock, with GuardDuty costs jumping from $15/month to $400/month after enabling a few extra plans.
This guide translates all of that into plain English with real cost examples. You'll learn what each pricing dimension costs, which protection plans matter for your workload, and how to estimate your monthly bill. If you want a quick number, jump straight to the GuardDuty pricing calculator for a personalized estimate.
All pricing data is sourced from the official GuardDuty pricing page for US East (N. Virginia) as of February 2026. Prices vary by region.
How Much Does GuardDuty Cost?
Here's the quick answer. GuardDuty is pay-as-you-go with no upfront commitments. Your actual cost depends on data volume and which protection plans you enable:
- Small environment (5 accounts, 2 regions, foundational + S3 Protection): $10-100/month
- Mid-size environment (50 accounts, EKS + RDS workloads): $500-2,000/month
- Large environment (200+ accounts, all plans enabled): $5,000-20,000+/month
These ranges vary widely because GuardDuty bills across multiple independent dimensions. A startup with minimal API activity might pay $15/month. An enterprise running hundreds of EKS nodes with S3 data pipelines could easily exceed $10,000/month.
Every new GuardDuty account gets a 30-day free trial for most protection plans. Use it to measure your actual projected costs before committing. I'd also recommend using the GuardDuty pricing calculator to model different protection plan combinations for your specific workloads.
How GuardDuty Pricing Works
GuardDuty's pricing model has two layers, and understanding this structure is the foundation for everything else in this guide.
The first layer is foundational threat detection. This is always on. You cannot disable it. It analyzes CloudTrail management events and VPC Flow Logs plus DNS query logs. Think of it as the baseline cost for having GuardDuty enabled.
The second layer is optional protection plans. There are seven of them, each targeting a specific workload type (S3, EKS, Runtime, Malware, RDS, Lambda). Each plan has its own billing metric, its own free trial period, and can be toggled on or off independently.
One thing worth calling out: Extended Threat Detection, which uses AI/ML to correlate multi-stage attacks across services, is included at no additional cost. The more protection plans you enable, the better its attack sequence detection works. I'll cover this more in the comparison section.
Foundational Threat Detection (Always On)
This is your baseline cost. GuardDuty analyzes CloudTrail management events (every API call to AWS services) and VPC Flow Logs plus DNS query logs (network activity). You don't need to enable these log sources separately. GuardDuty uses its own independent data pipeline and filters the data for cost optimization.
Optional Protection Plans
Seven additional plans cover specific workload types. Each has its own pricing metric, and most come with a 30-day free trial. You can enable or disable any plan at any time, so there's no lock-in. The key is matching plans to your actual workloads, since paying for EKS Protection when you don't run Kubernetes is just burning money.
Foundational Threat Detection Pricing
Every GuardDuty deployment pays for foundational threat detection. These costs apply even if all optional protection plans are disabled, so this is the floor for your GuardDuty bill.
CloudTrail Management Events
GuardDuty continuously analyzes CloudTrail management events at a flat rate:
| Volume | Price (us-east-1) |
|---|---|
| All events | $4.00 per million events |
Worked example: 40 million CloudTrail management events in one month = 40 x $4.00 = $160/month.
For context on how CloudTrail event volumes relate to your broader AWS bill, see the CloudTrail pricing breakdown. CloudTrail management events are the same events driving your CloudTrail costs, so understanding the volume gives you visibility into both services.
VPC Flow Logs and DNS Query Logs
VPC Flow Log and DNS query log analysis uses tiered pricing with volume discounts:
| Volume Tier (us-east-1) | Price per GB/month |
|---|---|
| First 500 GB | $1.00 |
| Next 2,000 GB (500-2,500 GB) | $0.50 |
| Over 2,500 GB | $0.25 |
Worked example: 2,000 GB VPC Flow Logs + 1,000 GB DNS query logs = 3,000 GB total. 500 x $1.00 + 2,000 x $0.50 + 500 x $0.25 = $1,625/month.
One important note: when Runtime Monitoring is active and the GuardDuty agent is deployed on an instance, VPC Flow Log analysis charges are waived for that instance. This can significantly change the math for compute-heavy environments. I'll cover this in the Runtime Monitoring section.
Foundational detection is your floor. The optional protection plans are where costs, and security coverage, scale up.
Protection Plan Pricing Breakdown
Each protection plan below covers what it monitors, how it bills, the pricing tiers, and a worked example. I've ordered them by typical relevance: S3 first (most commonly enabled), then EKS, Runtime Monitoring, Malware Protection variants, RDS, and Lambda.
S3 Protection
Monitors threats against S3 resources by analyzing CloudTrail S3 data events. If you have S3 buckets with API activity, this plan is tracking who's accessing them and how.
| Volume Tier (us-east-1) | Price per 1M events |
|---|---|
| First 500 million events | $0.80 |
| Next 500 million (500M-1B) | $0.40 |
| Over 1 billion events | Continues with volume discount |
Worked example: 1 billion S3 data events = 500 x $0.80 + 500 x $0.40 = $600/month.
Cost watch: S3 Protection is one of the most expensive plans for accounts with heavy S3 API activity. ETL jobs, data pipelines, and high-volume read workloads can generate massive event counts. Consider disabling this in non-production accounts where the security value doesn't justify the cost.
EKS Audit Log Monitoring
Analyzes EKS audit logs for container-based threats and exploits:
| Volume Tier (us-east-1) | Price per 1M events |
|---|---|
| First 100 million events | $1.60 |
| Next 100 million (100M-200M) | $0.80 |
| Over 200 million events | Continues with volume discount |
Worked example: 200 million EKS events = 100 x $1.60 + 100 x $0.80 = $240/month.
If you're not running EKS, disable this plan. It generates zero value and should generate zero cost, but it's worth verifying it's actually off.
Runtime Monitoring (EKS, ECS, EC2)
Monitors operating system-level events (file access, network connections, process execution) across EKS, ECS (including Fargate), and EC2 workloads. Billing is based on vCPUs (virtual CPUs) per month:
| Volume Tier (us-east-1) | Price per vCPU/month |
|---|---|
| First 500 vCPUs | $1.50 |
| Next 4,500 vCPUs (500-5,000) | $0.75 |
| Over 5,000 vCPUs | Continues with volume discount |
The vCPU calculation is: (total hours instance is monitored) x number of vCPUs / (hours in month).
Worked examples:
| Scenario | vCPUs | Monthly Cost |
|---|---|---|
| 4 m7g.xlarge EKS workloads | 16 | $24 |
| 200 m7g.xlarge EKS workloads | 800 | $975 |
| 100 ECS Fargate tasks | 600 | $825 |
| 100 r6g.xlarge EC2 + 200 m7g.xlarge ECS-on-EC2 | 1,200 | $1,275 |
The VPC Flow Log offset: When Runtime Monitoring is enabled and the agent is active, GuardDuty waives VPC Flow Log analysis charges for those instances. The runtime agent provides similar (and more contextual) network telemetry. In compute-heavy environments, this waiver can significantly offset the Runtime Monitoring cost. Run the math both ways before deciding.
GuardDuty also creates VPC endpoints automatically when Runtime Monitoring deploys its agent. There's no charge for the associated networking bandwidth or hourly costs for event delivery.
Malware Protection for EC2
Scans EBS volumes attached to EC2 instances and container workloads when suspicious behavior is detected:
| Volume (us-east-1) | Price per GB scanned |
|---|---|
| All data | $0.03 |
Two scan modes exist: GuardDuty-initiated (included in the 30-day trial) and on-demand (no free trial).
Worked example: Three EBS volumes totaling 540.75 GB scanned = 540.75 x $0.03 = $16.22/month.
You can control which instances get scanned using tags, which is useful for excluding dev/test workloads. But here's the catch: EBS snapshots required for scanning are billed separately at standard EBS snapshot rates. This cost isn't included in the GuardDuty line item on your bill. Also, volumes over 2 TB (2,048 GB) are not scanned at all.
Malware Protection for S3
Scans newly uploaded objects in selected S3 buckets. This plan does not require GuardDuty to be enabled, which makes it unique among the protection plans.
| Dimension (us-east-1) | Price |
|---|---|
| Per GB of data scanned | $0.09 (reduced 85% from $0.60, effective Feb 2025) |
| Per 1,000 objects evaluated | $0.215 |
Worked example: 4,000 objects, 350 GB scanned = (350 x $0.09) + (4 x $0.215) = $32.36/month.
The February 2025 price cut (85% reduction) makes S3 malware scanning much more viable than it used to be. If you dismissed it previously due to cost, it's worth re-evaluating.
The free tier here is different from other plans: it's a 12-month Free Tier (not a 30-day trial) with 1,000 requests and 1 GB data scanned per month per account. On-demand scanning via API is not included in the free tier. Also note that S3 GET/PUT operations triggered by scanning are billed at standard S3 rates.
Malware Protection for AWS Backup
Scans EC2, EBS, and S3 backups for malware, with support for incremental scanning (only new/changed data between backups):
| Volume (us-east-1) | Price per GB scanned |
|---|---|
| All data | $0.05 |
Worked example: Initial full scan of 1,250 GB + incremental 275 GB = (1,250 x $0.05) + (275 x $0.05) = $76.25/month.
No free trial or free tier. AWS Backup storage is billed separately. For details on those costs, see the AWS Backup pricing guide.
RDS Protection
Analyzes and profiles login activity for Amazon Aurora and Amazon RDS databases:
| Dimension (us-east-1) | Price |
|---|---|
| Per provisioned instance vCPU/month | $1.00 |
| Per Aurora Serverless v2 ACU/month | $0.25 |
ACU stands for Aurora Capacity Unit, which is the compute unit for Serverless v2 instances.
Worked examples:
- 3 db.r6g.xlarge instances (4 vCPUs each) = 12 x $1.00 = $12/month
- 3 db.r6g.xlarge + 1 Aurora Serverless v2 (60 ACUs) = (12 x $1.00) + (60 x $0.25) = $27/month
Regional pricing varies more for RDS Protection than most plans. Europe (Spain) charges $1.09/vCPU and Europe (Zurich) charges $1.35/vCPU (updated April 2025). Aurora Limitless databases are now charged at Serverless v2 rates (corrected December 2025).
Lambda Protection
Monitors VPC Flow Logs generated from Lambda function execution to detect threats like cryptomining and command-and-control communication:
| Volume Tier (us-east-1) | Price per GB/month |
|---|---|
| First 500 GB | $1.00 |
| Next 2,000 GB (500-2,500 GB) | $0.50 |
| Over 2,500 GB | $0.25 |
Worked example: 100 GB of Lambda VPC Flow Logs = 100 x $1.00 = $100/month.
Important: Lambda Protection only applies to Lambda functions running in a VPC. If your functions don't use VPCs, this plan generates minimal or zero cost. Check before you pay for it.
That's a lot of pricing dimensions. Let's put them all side by side.
All Protection Plans Compared
Here's the comparison table that doesn't exist on any other page ranking for GuardDuty pricing. Every plan, one view:
| Plan | What It Monitors | Billing Metric | Starting Price (us-east-1) | Volume Discounts | Free Trial | Enabled by Default |
|---|---|---|---|---|---|---|
| Foundational | CloudTrail mgmt events | Per 1M events | $4.00 | No | 30 days | Yes (can't disable) |
| Foundational | VPC Flow + DNS logs | Per GB | $1.00 | Yes | 30 days | Yes (can't disable) |
| S3 Protection | S3 data events | Per 1M events | $0.80 | Yes | 30 days | Yes |
| EKS Audit Logs | EKS audit events | Per 1M events | $1.60 | Yes | 30 days | Yes |
| Runtime Monitoring | OS-level events (EKS/ECS/EC2) | Per vCPU/month | $1.50 | Yes | 30 days | No |
| Malware: EC2 | EBS volumes | Per GB scanned | $0.03 | No | 30 days | Yes |
| Malware: S3 | S3 objects | Per GB + per 1K objects | $0.09 + $0.215 | No | 12-month Free Tier | No |
| Malware: Backup | EC2/EBS/S3 backups | Per GB scanned | $0.05 | No | None | No |
| RDS Protection | DB login activity | Per vCPU or ACU/month | $1.00 / $0.25 | No | 30 days | Yes |
| Lambda Protection | Lambda VPC Flow Logs | Per GB | $1.00 | Yes | 30 days | Yes |
Quick recommendations based on workload type:
- Running EKS? Enable EKS Protection + Runtime Monitoring. The runtime agent gives you deeper visibility and waives VPC Flow Log charges.
- Pure serverless? Focus on S3 Protection + Lambda Protection. Skip EKS and Runtime Monitoring.
- Heavy compute (EC2/ECS)? Runtime Monitoring is worth evaluating for the VPC Flow Log cost offset alone.
- Databases? RDS Protection at $1.00/vCPU is relatively cheap for the login anomaly detection you get.
And remember: Extended Threat Detection is included at no extra cost for all GuardDuty accounts. It uses AI/ML to correlate signals across services and identify multi-stage attacks (credential compromise followed by data exfiltration, container exploitation chains). It maps findings to MITRE ATT&CK tactics. The more plans you enable, the more data it has to work with.
GuardDuty Free Trial and Free Tier
Before committing to any plans, take advantage of the free trial to measure your actual costs. Here's how it works.
Most protection plans include a 30-day free trial per account per Region. Each plan has its own independent trial period, meaning you can enable Runtime Monitoring two weeks after enabling GuardDuty and still get a full 30-day trial for Runtime Monitoring.
| Protection Plan | Enabled by Default | Free Trial |
|---|---|---|
| Foundational threat detection | Yes (can't disable) | 30 days |
| S3 Protection | Yes | 30 days |
| EKS Protection | Yes | 30 days |
| Runtime Monitoring | No | 30 days |
| Malware Protection for EC2 (GuardDuty-initiated) | Yes | 30 days |
| Malware Protection for EC2 (on-demand) | No | None |
| Malware Protection for S3 | No | 12-month Free Tier |
| Malware Protection for AWS Backup | No | None |
| RDS Protection | Yes | 30 days |
| Lambda Protection | Yes | 30 days |
Malware Protection for S3 is the outlier. Instead of a 30-day trial, it uses a 12-month Free Tier: 1,000 requests and 1 GB data scanned per month per account. On-demand scanning via API is excluded.
Strategic advice: Enable all protection plans during the free trial. The GuardDuty console shows estimated costs per data source during the trial period, so you can see exactly what each plan would cost post-trial. After 30 days, disable the plans that don't justify their cost for your workloads. This is the most accurate way to forecast your GuardDuty bill.
Existing accounts can also get a new 30-day trial when enabling a protection plan for the first time. If you've had GuardDuty enabled for a year but never turned on Runtime Monitoring, you'll still get a full trial when you do.
One more thing: enabling or disabling Security Hub does not affect your GuardDuty trial status. They're independent.
What GuardDuty Actually Costs: Real-World Examples
The pricing tables tell you the unit costs. But what most people actually want to know is: "Given my environment, what will my monthly bill look like?" Here are three scenarios using realistic workload profiles.
Startup (5 AWS Accounts)
Assumptions: 5 accounts, 2 regions, minimal workloads, foundational + S3 Protection only.
| Cost Component | Volume | Monthly Cost |
|---|---|---|
| CloudTrail management events | 2M events x 10 detectors | $80 |
| VPC Flow + DNS logs | 50 GB total | $50 |
| S3 Protection | 10M events total | $8 |
| Total | ~$138/month |
With the free trial active, this is $0 for the first 30 days. Post-trial, you're looking at roughly $50-150/month depending on how much API activity your accounts generate. Even accounts with minimal workloads produce CloudTrail management events, which is why the foundational cost never hits zero.
Mid-Size Company (50 Accounts, EKS + RDS)
Assumptions: 50 accounts, 3 regions, EKS clusters, RDS databases, moderate S3 usage. Protection plans enabled: foundational, S3, EKS, Runtime Monitoring, RDS.
| Cost Component | Volume | Monthly Cost |
|---|---|---|
| CloudTrail management events | 20M events x 150 detectors | ~$600 |
| VPC Flow + DNS logs | 800 GB total | $650 |
| S3 Protection | 200M events total | $160 |
| EKS Audit Logs | 50M events total | $80 |
| Runtime Monitoring | 200 vCPUs total | $300 |
| RDS Protection | 40 vCPUs total | $40 |
| Total | ~$1,830/month |
The VPC Flow Log waiver from Runtime Monitoring would reduce foundational costs on monitored instances, potentially saving $100-200/month depending on how much of the 800 GB comes from those instances. Actual range: $1,500-2,500/month.
Enterprise (200+ Accounts, Full Coverage)
Assumptions: 200 accounts, 5 regions, all protection plans enabled, heavy compute and storage workloads. Managed through AWS Organizations with a delegated administrator.
| Cost Component | Volume | Monthly Cost |
|---|---|---|
| CloudTrail management events | 100M events x 1,000 detectors | ~$4,000 |
| VPC Flow + DNS logs | 5,000 GB total | $1,875 |
| S3 Protection | 2B events total | $1,000 |
| EKS Audit Logs | 300M events total | $400 |
| Runtime Monitoring | 2,000 vCPUs total | $1,875 |
| RDS Protection | 100 vCPUs + 200 ACUs | $150 |
| Lambda Protection | 500 GB total | $500 |
| Malware Protection (EC2) | 2,000 GB scanned | $60 |
| Total | ~$9,860/month |
At this scale, volume discounts kick in across multiple dimensions, and the VPC Flow Log waiver from Runtime Monitoring can save $500-1,000/month. Actual range: $8,000-15,000+/month depending on workload density and data volumes.
For organizations at this scale, the delegated administrator can view usage costs across all member accounts from the GuardDuty console, giving centralized cost visibility.
If those numbers are higher than you expected, there are concrete ways to bring them down.
How to Reduce Your GuardDuty Bill
GuardDuty cost optimization comes down to two things: only pay for the plans you need, and monitor usage so spikes don't surprise you. Here are the specific tactics that work.
1. Disable protection plans you don't need. This is the most obvious one, but I keep seeing it missed. Not running EKS? Disable EKS Protection. Lambda functions not in VPCs? Disable Lambda Protection. Each disabled plan is a billing dimension eliminated.
2. Use Runtime Monitoring to offset VPC Flow Log costs. When the agent is active on EC2 or EKS instances, foundational VPC Flow Log charges are waived for those instances. For compute-heavy environments, the Runtime Monitoring cost can be partially or fully offset by the VPC Flow Log savings. Calculate both scenarios before deciding.
3. Apply tag-based malware scan controls. For Malware Protection for EC2, use tags to exclude dev/test instances from scanning. This avoids burning scan budget on non-critical workloads where malware detection has lower value.
4. Set up CloudWatch alarms on usage metrics. GuardDuty publishes metrics hourly to the AWS/GuardDuty namespace. The ones to watch: AnalyzedBytes, AnalyzedCount, MonitoredVcpuHours, and ScannedBytes. Set threshold alarms so cost spikes trigger notifications before they hit your bill. See the GuardDuty usage monitoring documentation for the full metric reference.
5. Use the free trial to measure before you commit. Enable all plans during the trial. The console shows estimated costs per data source. After 30 days, you'll have real data to decide which plans are worth keeping. This is more accurate than any calculator (including ours).
6. Deploy through AWS Organizations. A delegated administrator gets centralized cost visibility across all member accounts. This makes it easier to identify which accounts are driving the highest costs and apply multi-account best practices for cost control.
7. Optimize S3 event volume. S3 Protection costs scale with the number of S3 data events. Consolidating bucket activity, reducing unnecessary API calls, and cleaning up unused buckets indirectly reduces GuardDuty costs. If you have data pipeline accounts generating billions of S3 events, disabling S3 Protection in those non-production accounts can save hundreds per month. For a broader look at estimating and tracking AWS service costs, see our AWS cost estimation tools guide.
8. Set EBS volume guardrails. Configure notification thresholds for Malware Protection for EC2 to alert when scan volumes exceed your budget. Volumes over 2 TB are automatically excluded from scanning anyway.
Use the GuardDuty pricing calculator to model the cost impact of different protection plan combinations before making changes.
Hidden Costs and Gotchas
Beyond the listed prices, here are the costs that catch people off guard. None of these are obvious from the pricing page alone.
EBS snapshot costs are separate. Malware Protection for EC2 creates EBS snapshots for scanning. These snapshots are billed at standard EBS snapshot rates, not included in the $0.03/GB GuardDuty scanning charge. For instances with large volumes, snapshot costs can exceed the scan cost itself.
S3 API costs from malware scanning. Malware Protection for S3 triggers GET and PUT operations that are billed at standard S3 rates. If you enable optional S3 Object Tagging for scan results, that's another S3 charge. These aren't huge individually, but they add up across thousands of objects.
Inactive accounts still generate costs. Even AWS accounts with minimal workloads produce CloudTrail management events. Community reports show $0.10-0.30/day per account just for foundational detection. With 200 accounts, that's $20-60/day ($600-1,800/month) before any optional plans are enabled.
Step Functions + CloudTrail is an expensive combination. Step Functions generate CloudTrail management events that GuardDuty analyzes. Users have reported this adds roughly 44% to their Step Functions costs as a hidden "tax." If you're running Step Functions at scale, this interaction drives up your foundational detection costs.
S3 heavy-read workloads inflate S3 Protection costs. High-volume S3 API patterns (ETL jobs, data pipelines, ML training data reads) can generate massive S3 data event volumes. I've seen S3 Protection costs jump from $100/month to $2,000/month after a new data pipeline was deployed. Monitor this dimension closely.
EBS volumes over 2 TB (2,048 GB) are not scanned. You still pay for scanning the volumes under 2 TB, but get no malware coverage on larger ones. If your security team assumes full coverage, this is a blind spot worth documenting. There's also a limit of 25 protected S3 buckets per account per Region for Malware Protection for S3.
Key Takeaways
GuardDuty pricing has two layers: foundational detection (always on, can't disable) and optional protection plans (toggle per workload). The foundational layer is your cost floor, and the protection plans add cost proportional to your workload size and type.
Here's what I'd recommend as next steps:
- Start with the 30-day free trial to measure actual costs across all plans
- Use the comparison table above to match plans to your workloads, then disable what you don't need
- Set up CloudWatch alarms on GuardDuty usage metrics to catch cost spikes early
- Watch S3 Protection and Runtime Monitoring costs specifically, since they're the two biggest cost levers for most environments
- Factor in hidden costs like EBS snapshots, S3 API charges, and inactive account baseline costs
Use the GuardDuty pricing calculator to estimate your specific monthly bill, then validate against real usage during the free trial. Taking a shift-left approach to cloud costs means catching these security service costs during infrastructure code review, not after they show up on your bill. For a broader view of where GuardDuty fits in your security strategy, see AWS security best practices.
What's been your experience with GuardDuty pricing? Have you run into cost surprises beyond what's covered here? Share in the comments below.
Shift-Left Your FinOps Practice
Move cost awareness from monthly bill reviews to code review. CloudBurn shows AWS cost impact in every PR, empowering developers to make informed infrastructure decisions.