GuardDuty Pricing Optimization: Cutting the VPC Flow Logs Tax

Most enterprises enable GuardDuty organisation-wide and never revisit configuration. Twelve to twenty-four months later, the GuardDuty bill has quietly grown to $100K+ per month, driven almost entirely by VPC Flow Logs analysis at the highest pricing tier. This guide covers the optimisation playbook we apply in security cost reviews ahead of every major EDP renewal.

How GuardDuty actually bills

GuardDuty has six independent pricing dimensions in 2026:

The first three (VPC Flow Logs, CloudTrail Events, DNS Queries) are bundled in the base GuardDuty fee structure and tier together. The last three are opt-in features that can be disabled independently.

Why VPC Flow Logs dominate

A typical enterprise VPC generates 5 to 50 GB/day of Flow Logs depending on workload. At 50 GB/day in 30-day months, that is 1,500 GB/month per VPC. With 10 VPCs, that is 15,000 GB/month, putting most of the volume in the $0.25/GB tier but still $3,750/month per high-traffic VPC.

Two factors compound this: cross-AZ chatter (microservices that span AZs generate full traffic logs both directions), and load balancer health checks (continuous low-volume traffic that GuardDuty must still analyse).

The seven highest-impact optimisations

1. Disable GuardDuty in non-production accounts

GuardDuty in dev, QA, and sandbox environments rarely surfaces actionable findings. The threat model is materially different from production. For most customers, disabling GuardDuty in non-production cuts bill by 20 to 40 percent immediately.

Counter-argument: lateral movement from dev to prod is a real threat. Compromise: enable GuardDuty in non-production with VPC Flow Logs disabled and only CloudTrail and DNS dimensions on.

2. Sample VPC Flow Logs

VPC Flow Logs can be configured with a sampling rate. GuardDuty analyses whatever it receives. A 1-in-10 sampling rate cuts GuardDuty Flow Logs cost by 90 percent and still captures most anomaly patterns.

Caveat: GuardDuty's machine-learning models work better with full volume. For prod-critical VPCs handling financial or sensitive data, full sampling is justified. For analytics or batch processing VPCs, 1-in-10 is reasonable.

3. Exclude predictable internal chatter

Load balancer health checks, service mesh chatter, and Kubernetes pod-to-pod traffic generate massive Flow Logs volume with near-zero security signal. Use VPC Flow Logs filter expressions to exclude these patterns at the source.

4. Consolidate VPCs

Many enterprises run 30+ VPCs out of organisational habit. Consolidating to 5 to 10 VPCs with proper segmentation often cuts Flow Logs volume because intra-VPC traffic is not logged (only flows crossing the ENI boundary).

5. Evaluate Malware Protection ROI

Malware Protection for EC2 and EBS bills per GB scanned. Average enterprise pays $30K+/year for malware protection that fires on average once per quarter. Compare against deploying a third-party EDR (CrowdStrike, SentinelOne) which may already be present.

6. Audit EKS Protection and Runtime Monitoring

Runtime Monitoring at $1.50/vCPU/month adds up fast. A 500-vCPU EKS cluster is $750/month for Runtime Monitoring alone, on top of the EKS Audit Logs charge. Decide whether the runtime telemetry duplicates your existing observability stack.

7. Use S3 Protection selectively

S3 Protection bills per object-level CloudTrail event. Enabling it organisation-wide on every bucket is expensive. Enable on buckets containing PII, financial data, or sensitive content; skip media buckets, public web buckets, and analytics scratch space.

Multi-account and delegated admin economics

GuardDuty operates under a master/member model with AWS Organizations. The master account aggregates findings; members publish telemetry.

Volume tier breaks apply at the organisation level when configured as a delegated administrator. This means a 100-account organisation with 1 GB/day per account hits the $0.50/GB tier collectively at the 500 GB/month mark, not per-account. Properly configuring delegated administration is worth 30 to 50 percent savings versus per-account billing.

GuardDuty findings: cost and signal trade-off

GuardDuty produces 150+ finding types. At enterprise scale, the volume of low-severity findings overwhelms most security operations teams. Cost angle: SIEM ingestion of GuardDuty findings adds Splunk, Sumo Logic, or Datadog spend on top of GuardDuty itself.

Tactics:

• Use EventBridge rules to filter low-severity findings before SIEM ingestion.
• Suppress finding types not relevant to your environment (Kubernetes findings on EKS-free accounts).
• Use Security Hub aggregation to dedupe findings rather than full GuardDuty ingestion.

GuardDuty in EDP renewals

GuardDuty rolls into the security services category in an EDP. AWS sellers default to applying the headline EDP discount uniformly. In practice, the VPC Flow Logs dimension at high volume is the most negotiable single line item in the security category.

Negotiation specifics to request:

• Custom volume tiers above 10,000 GB/month at preferential pricing.
• Multi-year GuardDuty commitment discount.
• Bundled pricing across GuardDuty, Security Hub, and Macie.
• Migration credit from third-party CNAPP (where switching from Wiz, Palo Alto Prisma, or similar).

Third-party alternatives priced honestly

Wiz, Lacework, Orca, and Palo Alto Prisma all offer GuardDuty-equivalent runtime detection. Pricing models vary: per-workload, per-resource, per-GB. For a typical $80K/month GuardDuty customer, full-stack CNAPP replacement runs $150K to $250K/year but includes posture management, data classification, and runtime detection in one bundle.

Decision framework: if GuardDuty is your only security tool, native is fine. If you are deploying or considering Wiz, the multi-product TCO almost always favours consolidation.

Action checklist

1. Pull last 12 months of GuardDuty spend by dimension from Cost Explorer.
2. Identify VPCs producing more than 1,000 GB/month of Flow Logs.
3. Disable GuardDuty in non-production accounts or restrict to CloudTrail + DNS only.
4. Apply 1-in-10 sampling to non-critical VPCs.
5. Audit S3 Protection scope; restrict to PII/PCI/financial buckets.
6. Evaluate Malware Protection and Runtime Monitoring ROI.
7. Confirm delegated administrator pattern aggregates volume for tier breaks.
8. Scope GuardDuty in your next EDP cycle.
9. Contact our advisory team for a GuardDuty audit benchmarked against $2.4B+ of reviewed AWS spend.

See our AWS security cost strategy pillar, Security Hub cost analysis piece, and CloudTrail cost reduction guide for the broader security picture.

GuardDuty findings volume and SIEM cost

The conversation about GuardDuty cost usually stops at the GuardDuty bill. The downstream cost of ingesting GuardDuty findings into a SIEM is frequently equal to or larger than GuardDuty itself.

Average enterprise GuardDuty generates 5,000 to 30,000 findings per month across accounts. Splunk ingestion at $0.40 to $5.00 per GB depending on contract, Sumo Logic at similar rates, Datadog Cloud SIEM at $0.30 per GB, all add to total cost. For a 30,000-finding/month customer, SIEM ingestion adds $500 to $3,000/month.

Optimisation: filter findings at EventBridge before SIEM ingestion. Most enterprises do not need INFORMATIONAL severity findings in the SIEM. Suppress low-severity findings; ingest MEDIUM and above only.

EKS Audit Logs deep-dive

EKS Audit Logs from GuardDuty bills $1.00 per million events. A typical EKS cluster generates 50,000 to 500,000 audit events per day depending on Kubernetes API call patterns. For a 5-cluster deployment generating 200,000 events/day average, that is 30M events/month, or $30/month per cluster. Modest, but adds up at fleet scale.

What drives EKS audit event volume:

• Number of pod restarts (CrashLoopBackOff scenarios)
• HorizontalPodAutoscaler aggressive scaling
• Helm chart deployments with many resources
• Configuration drift remediation tools that constantly reconcile

Mitigation: stabilise pod startup behaviour and reduce reconciliation loops. Side benefit: lower EKS control plane load.

GuardDuty data sources versus protection plans

AWS reorganised GuardDuty pricing in 2024 to separate "core" coverage (Flow Logs, CloudTrail, DNS) from optional "protection plans" (EKS Protection, S3 Protection, RDS Protection, Lambda Protection, Runtime Monitoring, Malware Protection).

Each protection plan has its own pricing dimension and can be toggled independently. Audit:

The economic decision for each protection plan is independent. The mistake is enabling all six because GuardDuty made it easy. Justify each plan against actual threat model.

Multi-master and migration scenarios

Common GuardDuty re-architectures:

• Per-account standalone to centralised admin. Reduces billing by aggregating volume tiers. Migration window: 2 to 4 weeks.
• Decentralised regional masters to single global delegated admin. Operational simplification. Pricing impact: usually neutral.
• GuardDuty primary to third-party CNAPP primary. Reduces GuardDuty cost but transitions detection responsibility. 6-month minimum runway.