Amazon GuardDuty
Start course
1h 3m

During AWS re:Invent 2017, AWS launched its 11th security service in the on-going drive to help its customers protect and secure their applications, environments, and accounts. This service was Amazon GuardDuty, a regionally based, intelligent, threat-detection service. This service allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs. This course will introduce you to this Amazon GuardDuty and explain how it works and how to configure it, allowing you to be able to enable this service within your own AWS accounts to provide automatic and continuous security analysis for safeguarding your entire AWS environment.

Learning Objectives

By the end of this course you will be able to:

  • Describe the Amazon GuardDuty service
  • Manage and configure GuardDuty for single and multiple accounts
  • Implement the correct permissions to both enable and manage GuardDuty
  • Manage and resolve findings generated
  • Explain how GuardDuty can play an important role within your organization

This course has been designed for individuals in the following roles:

  • Security consultant/specialist
  • Security analyst
  • Security auditor
  • Cloud architect
  • Cloud operational support analyst

This course would also be valuable to anyone looking to learn more about AWS security and threat detection within AWS.


As a prerequisite to this course, you should have a basic understanding of the fundamentals of AWS along with an awareness of different security measures and mechanisms that are offered by different AWS services, such as within IAM, specifically IAM policies.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


AWS Resource

Amazon GuardDuty Pricing


Hello, and welcome to this very short lecture just to explain how much Amazon GuardDuty is likely to cost you, and how the pricing structure works.

Essentially, the pricing for this service is broken down into two parts. CloudTrail Event Analysis, and VPC Flow Log and DNS Log Analysis. CloudTrail Event Analysis is charged at per one million events per month, whereas the VPC Flow Logs and DNS Logs are charged at per gig of log analyzed per month.

The cost for each depends on which region you are running the service in. For a full listing of each region, visit the AWS pricing page of the service found here. When you first enable Amazon GuardDuty, you are able to use the service free for the first 30 days. In addition to this, you are able to see how much Amazon GuardDuty would have cost you for those 30 days, to help you estimate your ongoing payment should you continue to use the service. As you can see from this image within my own account for testing, there are minimal events and log data. As such, after a week, it wouldn't have cost me anything as yet. I've not reached one million events or one gig of data. However, you can see from here that should you be running this is your Enterprise account, as opposed to my personal test account, where you may have thousands of resources, it would allow you to estimate the ongoing costs associated with GuardDuty.

Before I finish this lecture, I just want to provide a costing example, based on running Amazon GuardDuty from within the London EU region, which currently states pricing as follows. Please note, for the latest pricing information, please refer to the AWS documentation. With this in mind, let's presume we have the following data per month: 55 million CloudTrail Events, 3,000 Gigabytes of VPC Flow Logs, and 2,000 Gigabytes of DNS Query Logs. Using the charges from the table listed for the London region, we can calculate the costing as follows. The CloudTrail Events would work out at $242, and the VPC Flow Logs and DNS Query Logs will total 2,350, giving a total of $2,592 for that month.

The charges for this service are very simple to understand and estimate. You may be thinking, is this worth the cost? But at the same time, you should also be thinking of the cost against not using the service, and suffering the effects of a security breach. Not only will this have a financial impact on your organization in the event you have to shut systems down to remediate the issue, but there is also a significant cost of reputation to your business. All of this needs to be taken into consideration when looking at the cost of security.

That now brings me to the end of this lecture. Coming up next, I shall be looking at some of the partner offerings that are available, that work in conjunction with Amazon GuardDuty.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.