Estimating GuardDuty cost - Amazon GuardDuty

Estimating GuardDuty cost

You can use the GuardDuty console or API operations to estimate the daily average usage costs for GuardDuty. During the 30-day free trial period, the cost estimation projects what your estimated costs will be after the trial period. If you are operating in a multi-account environment, your GuardDuty administrator account can monitor cost metrics for all of the member accounts.


The usage cost for Malware Protection for S3 is not included under Usage in the GuardDuty console. For more information, see Viewing usage and cost for Malware Protection for S3.

You can view cost estimation based on the following metrics:

  • Account ID – Lists the estimated cost for your account, or for your member accounts if you are operating as a GuardDuty administrator account account.

  • Data source – Lists the estimated cost on the specified data source for the following GuardDuty data source types: VPC flow logs, CloudTrail management logs, CloudTrail data events, or DNS logs.

  • Features – Lists the estimated cost on the specified data source for the following GuardDuty features: CloudTrail data events for S3, EKS Audit Log Monitoring, EBS volume data, RDS login activity, EKS Runtime Monitoring, Fargate Runtime Monitoring, EC2 Runtime Monitoring, or Lambda Network Activity Monitoring.

  • S3 buckets – Lists the estimated cost for S3 data events on a specified bucket or the most expensive buckets for accounts in your environment.


    S3 bucket statistics are only available if S3 Protection is enabled for the account. For more information, see Amazon S3 Protection in Amazon GuardDuty.

Understanding how GuardDuty calculates usage costs

The estimates displayed in the GuardDuty console may differ slightly than those in your AWS Billing and Cost Management console. The following list explains how GuardDuty estimates usage costs:

  • The GuardDuty usage estimate is for the current Region only.

  • The GuardDuty usage cost is based on the last 30 days of usage.

  • The trial usage cost estimate includes the estimate for foundational data sources and features that are currently in the trial period. Each feature and data source within GuardDuty has its own trial period but it may overlap with the trial period of GuardDuty or another feature that was enabled at the same time.

  • The GuardDuty usage estimate includes GuardDuty volume pricing discounts per Region, as detailed on the Amazon GuardDuty Pricing page, but only for individual accounts meeting the volume pricing tiers. Volume pricing discounts are not included in estimates for combined total usage between accounts within an organization. For information about combined usage volume discount pricing, see AWS Billing: Volume Discounts.

  • The sum of the usage cost for each AWS account in your organization may not always be the same as the last 30-day estimated cost for the selected data source. The pricing tier may change as GuardDuty processes more events or data. For more information, see Pricing Tiers in the AWS Billing User Guide.

This scenario explains that to stop incurring usage cost for Runtime Monitoring, you must have both the Runtime Monitoring and EKS Runtime Monitoring features disabled.

GuardDuty has consolidated the console experience for EKS Runtime Monitoring into Runtime Monitoring. GuardDuty recommends Checking EKS Runtime Monitoring configuration status and Migrating from EKS Runtime Monitoring to Runtime Monitoring.

As a part of migrating to Runtime Monitoring, ensure to Disable EKS Runtime Monitoring. This is important because if you later choose to disable Runtime Monitoring and you do not disable EKS Runtime Monitoring, you will continue incurring usage cost for EKS Runtime Monitoring.

Runtime Monitoring – How VPC flow logs from EC2 instances impact usage cost

When you manage the security agent (either manually or through GuardDuty) in EKS Runtime Monitoring or Runtime Monitoring for EC2 instances, and GuardDuty is presently deployed on an Amazon EC2 instance and receives the Collected runtime event types from this instance, GuardDuty will not charge your AWS account for the analysis of VPC flow logs from this Amazon EC2 instance. This helps GuardDuty avoid double usage cost in the account.

How GuardDuty estimates usage cost for CloudTrail events

When you enable GuardDuty, it automatically starts consuming AWS CloudTrail event logs recorded for your account in the selected AWS Region. GuardDuty replicates Global service events logs and then processes these events independently in each Region where you have GuardDuty enabled. This helps GuardDuty maintain user and role profiles in each Region to identify anomalies.

Your CloudTrail configuration does not impact GuardDuty usage cost or the way GuardDuty processes your event logs. Your GuardDuty usage cost is affected by your usage of AWS APIs which log to CloudTrail. For more information, see AWS CloudTrail event logs.

Reviewing GuardDuty usage statistics

Choose your preferred access method to review the usage statistics for your GuardDuty account. If you're a GuardDuty administrator account, the following methods will help you review the usage statistics for all the members.

  1. Open the GuardDuty console at

    Make sure to use the GuardDuty administrator account account.

  2. In the navigation pane, choose Usage.

  3. On the Usage page, a GuardDuty administrator account with member accounts can view the Estimated organization cost for the last 30 days. This is an estimated total usage cost for your organization.

  4. GuardDuty administrator accounts with members can either view the usage cost breakdown by data source or by accounts. Individual or standalone accounts can view the breakdown by data source.

    If you have member accounts, you can view the statistics for an individual account by selecting that account in the Accounts table.

    Under the By data sources tab, when you select a data source that has a usage cost associated with it, the corresponding sum of the cost breakdown at the accounts level may not always be the same.


Run the GetUsageStatistics API operation using the credentials of GuardDuty administrator account account. Provide the following information to run the command:

  • (Required) provide the Regional GuardDuty detector ID of the account for which you want to retrieve the statistics.

  • (Required) provide one of the types of statistics to retrieve: SUM_BY_ACCOUNT | SUM_BY_DATA_SOURCE | SUM_BY_RESOURCE | SUM_BY_FEATURE | TOP_ACCOUNTS_BY_FEATURE.

    Currently, TOP_ACCOUNTS_BY_FEATURE does not support retrieving usage statistics for RDS_LOGIN_EVENTS.

  • (Required) provide one or more data sources or features to query your usage statistics.

  • (Optional) provide a list of account IDs for which you want to retrieve usage statistics.

You can also use the AWS Command Line Interface. The following command is an example about retrieving the usage statistics for all the data sources and features, calculated by accounts. Make sure to replace the detector-id with your own valid detector ID. For standalone accounts, this command returns the usage cost over the past 30 days for your account only. If you are a GuardDuty administrator account with member accounts, you see costs listed by account for all members.

To find the detectorId for your account and current Region, see the Settings page in the console, or run the ListDetectors API.

Replace SUM_BY_ACCOUNT by the type with which you want to calculate the usage statistics.

To monitor cost for data sources only

aws guardduty get-usage-statistics --detector-id 12abc34d567e8fa901bc2d34e56789f0 --usage-statistic-type SUM_BY_ACCOUNT --usage-criteria '{"DataSources":["FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_LOGS", "KUBERNETES_AUDIT_LOGS", "EC2_MALWARE_SCAN"]}'

To monitor cost for features

aws guardduty get-usage-statistics --detector-id 12abc34d567e8fa901bc2d34e56789f0 --usage-statistic-type SUM_BY_ACCOUNT --usage-criteria '{"Features":["FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "FARGATE_RUNTIME_MONITORING", "EC2_RUNTIME_MONITORING"]}'