TL;DR: "Enable GuardDuty" actually enables the base detector plus up to five separately-priced protection plans (S3, EKS, EC2 Malware, RDS, Lambda, Runtime Monitoring) — with a 30-day trial that keeps billing when it ends, no email sent. A serverless startup paying for EKS and RDS protection is buying vigilance on attack surface it doesn't have. Matching plans to actual workloads routinely cuts the bill 60–80% with zero real security loss.
The numbers
- Base service (CloudTrail management events ~$4/M, flow-log and DNS analysis): small and predictable
- The plans are the money: EKS audit-log GB, per-GB EBS malware scans, per-instance-hour RDS, per-million Lambda invocations, per-vCPU-hour runtime agents
- Field examples: a serverless startup's default-everything bill of $140/month dropped to $22 after disabling EKS/RDS/Malware/Runtime; a mid-size SaaS at $510/month found $320 was EKS Protection on nightly-destroyed dev clusters — production-only scoping took it to $170/month
Do this
-
If you're in the 30-day trial, act now — GuardDuty → Usage shows projected post-trial cost per plan, free. Screenshot it, decide, disable before day 30. There is no warning email.
-
Run the "do we even run that?" audit: GuardDuty → Settings → Protection plans. No EKS clusters → EKS Protection off. No RDS → RDS Protection off. No EBS-backed EC2 → Malware Protection off. This isn't a security trade-off; it's deleting detection for services that don't exist.
-
Attribute the paid bill: Cost Explorer → Service: GuardDuty → group by usage type. The top line item is your target: EKS audit bytes usually means dev/staging clusters are being scanned; EBS malware GB means scheduled (not findings-triggered) scans; S3 data events scale with object traffic.
-
Scope, don't just toggle: Organizations delegated admin lets prod accounts run full plans while sandboxes run base-only; Runtime Monitoring agents can deploy to production workloads only.
-
Disable detectors in unused regions — GuardDuty is per-region, and empty regions still bill base rates for noise.
-
Set a billing alarm at ~120% of the new baseline so the next silent enablement gets caught.
Gotchas
- The trial rollover is the trap: every plan continues billing at day 31; most "GuardDuty is expensive" surprises are exactly this.
- Findings nobody triages are a smell — if no GuardDuty finding has ever triggered a response, you're paying for output with no consumer; fix the process or the plan list.
- Compliance usually mandates "threat detection," not every plan. PCI/SOC 2 are satisfied by the base service for most controls; ask your MSSP which plans their playbooks actually consume, and document deliberate disables so auditors see a decision, not an omission.
- Don't optimize into a violation: regulated workloads (FedRAMP classifications, PCI scope) may pin specific plans — check the actual policy text first.
Skip this if
- Your security team actively consumes findings from every enabled plan — then the spend is justified by definition.
- The workload mix shifts weekly (platform teams spinning up arbitrary services) — leaving plans on may beat the gap risk on the day someone deploys EKS.
- The same "enabled by default, scanning more than you need" pattern is bigger elsewhere — AWS Config recording is the sibling cleanup.