Estimating GuardDuty cost
You can use the GuardDuty console or API operations to estimate the daily average usage costs for GuardDuty. During the 30-day free trial period, the cost estimation projects what your estimated costs will be after the trial period. If you are operating in a multi-account environment, your GuardDuty administrator account can monitor cost metrics for all of the member accounts.
You can view cost estimation based on the following metrics:
-
Account ID – Lists the estimated cost for your account, or for your member accounts if you are operating as a GuardDuty administrator account account.
-
Data source – Lists the estimated cost on the specified data source for the following GuardDuty data source types: VPC flow logs, CloudTrail management logs, CloudTrail data events, or DNS logs.
-
Features – Lists the estimated cost on the specified data source for the following GuardDuty features: CloudTrail data events for S3, EKS Audit Log Monitoring, EBS volume data, RDS login activity, EKS Runtime Monitoring, Fargate Runtime Monitoring, EC2 Runtime Monitoring, or Lambda Network Activity Monitoring.
-
S3 buckets – Lists the estimated cost for S3 data events on a specified bucket or the most expensive buckets for accounts in your environment.
Note
S3 bucket statistics are only available if S3 Protection is enabled for the account. For more information, see Amazon S3 Protection in Amazon GuardDuty.
Understanding how GuardDuty calculates usage costs
The estimates displayed in the GuardDuty console may differ slightly than those in your AWS Billing and Cost Management console. The following list explains how GuardDuty estimates usage costs:
-
The GuardDuty usage estimate is for the current Region only.
-
The GuardDuty usage cost is based on the last 30 days of usage.
-
The trial usage cost estimate includes the estimate for foundational data sources and features that are currently in the trial period. Each feature and data source within GuardDuty has its own trial period but it may overlap with the trial period of GuardDuty or another feature that was enabled at the same time.
-
The GuardDuty usage estimate includes GuardDuty volume pricing discounts per Region, as detailed on the Amazon GuardDuty Pricing
page, but only for individual accounts meeting the volume pricing tiers. Volume pricing discounts are not included in estimates for combined total usage between accounts within an organization. For information about combined usage volume discount pricing, see AWS Billing: Volume Discounts. -
The sum of the usage cost for each AWS account in your organization may not always be the same as the last 30-day estimated cost for the selected data source. The pricing tier may change as GuardDuty processes more events or data. For more information, see Pricing Tiers in the AWS Billing User Guide.
Runtime Monitoring – How VPC flow logs from EC2 instances impact usage cost
When you manage the security agent (either manually or through GuardDuty) in EKS Runtime Monitoring or Runtime Monitoring for EC2 instances, and GuardDuty is presently deployed on an Amazon EC2 instance and receives the Collected runtime event types from this instance, GuardDuty will not charge your AWS account for the analysis of VPC flow logs from this Amazon EC2 instance. This helps GuardDuty avoid double usage cost in the account.
How GuardDuty estimates usage cost for CloudTrail events
When you enable GuardDuty, it automatically starts consuming AWS CloudTrail event logs recorded for your account in the selected AWS Region. GuardDuty replicates Global service events logs and then processes these events independently in each Region where you have GuardDuty enabled. This helps GuardDuty maintain user and role profiles in each Region to identify anomalies.
Your CloudTrail configuration does not impact GuardDuty usage cost or the way GuardDuty processes your event logs. Your GuardDuty usage cost is affected by your usage of AWS APIs which log to CloudTrail. For more information, see AWS CloudTrail event logs.
Reviewing GuardDuty usage statistics
Choose your preferred access method to review the usage statistics for your GuardDuty account. If you're a GuardDuty administrator account, the following methods will help you review the usage statistics for all the members.