AWSAmazon GuardDutySecurity & Identity

`aws_guardduty_detector` cost estimation

Managed threat detection billed by the volume of CloudTrail events, VPC flow logs, and DNS logs analyzed. ~10M events + 100 GB logs is ~$140/month.

An aws_guardduty_detector enables Amazon GuardDuty threat detection for an account/region. There's no instance; cost is driven by the volume of data analyzed: CloudTrail management events (~$4.00 per million), and VPC flow logs plus DNS logs (~$1.00 per GB, with volume tiers that lower the rate at scale). Analyzing 10M events and 100 GB of logs is ~$40 + $100 = $140/month.

The bill scales with account activity and network traffic, so high-activity or high-throughput accounts pay more. Add-on protection plans — S3 Protection, EKS Protection, Malware Protection, RDS Protection, Lambda Protection — each analyze additional data sources and add their own per-unit charges, so enabling all of them across all accounts multiplies cost.

The levers: enable GuardDuty broadly (it's a core security control, and the base data analysis is usually worth it), but be deliberate about which add-on protection plans you turn on where, since each adds a data-analysis charge. At organization scale, the log-volume charges dominate, so anything that reduces unnecessary VPC flow log volume helps.

c3x prices the detector from analyzed event and log volumes as usage, so projected GuardDuty cost can be modelled.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_guardduty_detector" "main" {
  enable = true

  datasources {
    s3_logs {
      enable = true
    }
  }
}

Pricing dimensions

What you actually pay for when you provision aws_guardduty_detector.

Dimension	Unit	What's being charged
CloudTrail events analyzed	per 1M events	Management events analyzed for threats. Scales with account API activity. $4.00 per 1M events → 10M = $40/month
VPC flow + DNS logs analyzed	per GB	Network flow and DNS log volume analyzed, with tiers that lower the rate at scale. ~$1.00/GB (first tier) → 100 GB = $100/month
Protection add-ons	per data source	S3, EKS, Malware, RDS, and Lambda Protection each analyze extra data sources at their own rate. Usage-based.

Sample C3X output

10M CloudTrail events + 100 GB of flow/DNS logs analyzed in a month:

aws_guardduty_detector.main
├─ CloudTrail events analyzed   10 × 1M events   $40.00
└─ VPC flow + DNS logs          100 GB          $100.00
                                Monthly         $140.00

Optimization tips

Common ways to reduce aws_guardduty_detector cost without changing the workload.

Be deliberate about add-on protection plans

Per add-on not needed

S3, EKS, Malware, RDS, and Lambda Protection each analyze additional data and add charges. Enable the ones that match your threat model and data sources — turning on every add-on across every account multiplies the bill.

Reduce unnecessary VPC flow log volume

Proportional to log volume reduced

Flow-log volume is a major GuardDuty cost driver at scale. Reducing chatty, low-value traffic and avoiding flow logging where it adds no security value lowers the per-GB analysis charge.

Use the 30-day trial to size cost before committing org-wide

Avoids cost surprises at rollout

GuardDuty's free trial shows your account's actual analyzed volume. Use it to project the steady-state cost across the organization before enabling everywhere, rather than being surprised.

Don't double-pay with overlapping tools

Avoids duplicate analysis cost

If other tools already analyze the same CloudTrail/flow-log data for threats, consolidate rather than paying GuardDuty and another product to inspect the same sources.

FAQ

How is AWS GuardDuty billed?

By the volume of data analyzed: CloudTrail management events (~$4/million) and VPC flow + DNS logs (~$1/GB, tiered down at scale), plus per-data-source charges for add-on protection plans (S3, EKS, Malware, RDS, Lambda). ~10M events + 100 GB is ~$140/month.

Why is my GuardDuty bill high?

Usually log volume and add-on plans. The per-GB flow/DNS log analysis scales with network traffic, and enabling every protection add-on across every account multiplies the bill. Be selective about add-ons and reduce unnecessary flow-log volume.

How does c3x estimate the cost?

GuardDuty is usage-driven, so c3x models it from analyzed event and log volumes in c3x-usage.yml. There's no instance to price; the estimate reflects projected analysis volume.

Related resources

AWS

aws_cloudtrail

GuardDuty analyzes CloudTrail events as a primary data source

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_guardduty_detector.

Get Started Star on GitHub

← Browse all AWS resources