All cheat sheets
Operational Efficiencycheat sheet

GuardDuty Selective Protection

GuardDuty is six separately-billed products in one console — and the default enables all of them, with a 30-day trial that rolls into paid without warning. Disable the plans monitoring services you don't run: zero security loss, often a 60–80% cut.

Last reviewed: July 11, 2026

TL;DR: "Enable GuardDuty" actually enables the base detector plus up to five separately-priced protection plans (S3, EKS, EC2 Malware, RDS, Lambda, Runtime Monitoring) — with a 30-day trial that keeps billing when it ends, no email sent. A serverless startup paying for EKS and RDS protection is buying vigilance on attack surface it doesn't have. Matching plans to actual workloads routinely cuts the bill 60–80% with zero real security loss.

The numbers

  • Base service (CloudTrail management events ~$4/M, flow-log and DNS analysis): small and predictable
  • The plans are the money: EKS audit-log GB, per-GB EBS malware scans, per-instance-hour RDS, per-million Lambda invocations, per-vCPU-hour runtime agents
  • Field examples: a serverless startup's default-everything bill of $140/month dropped to $22 after disabling EKS/RDS/Malware/Runtime; a mid-size SaaS at $510/month found $320 was EKS Protection on nightly-destroyed dev clusters — production-only scoping took it to $170/month

Do this

  1. If you're in the 30-day trial, act now — GuardDuty → Usage shows projected post-trial cost per plan, free. Screenshot it, decide, disable before day 30. There is no warning email.

  2. Run the "do we even run that?" audit: GuardDuty → Settings → Protection plans. No EKS clusters → EKS Protection off. No RDS → RDS Protection off. No EBS-backed EC2 → Malware Protection off. This isn't a security trade-off; it's deleting detection for services that don't exist.

  3. Attribute the paid bill: Cost Explorer → Service: GuardDuty → group by usage type. The top line item is your target: EKS audit bytes usually means dev/staging clusters are being scanned; EBS malware GB means scheduled (not findings-triggered) scans; S3 data events scale with object traffic.

  4. Scope, don't just toggle: Organizations delegated admin lets prod accounts run full plans while sandboxes run base-only; Runtime Monitoring agents can deploy to production workloads only.

  5. Disable detectors in unused regions — GuardDuty is per-region, and empty regions still bill base rates for noise.

  6. Set a billing alarm at ~120% of the new baseline so the next silent enablement gets caught.

Gotchas

  • The trial rollover is the trap: every plan continues billing at day 31; most "GuardDuty is expensive" surprises are exactly this.
  • Findings nobody triages are a smell — if no GuardDuty finding has ever triggered a response, you're paying for output with no consumer; fix the process or the plan list.
  • Compliance usually mandates "threat detection," not every plan. PCI/SOC 2 are satisfied by the base service for most controls; ask your MSSP which plans their playbooks actually consume, and document deliberate disables so auditors see a decision, not an omission.
  • Don't optimize into a violation: regulated workloads (FedRAMP classifications, PCI scope) may pin specific plans — check the actual policy text first.

Skip this if

  • Your security team actively consumes findings from every enabled plan — then the spend is justified by definition.
  • The workload mix shifts weekly (platform teams spinning up arbitrary services) — leaving plans on may beat the gap risk on the day someone deploys EKS.
  • The same "enabled by default, scanning more than you need" pattern is bigger elsewhere — AWS Config recording is the sibling cleanup.

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing an AWS account's GuardDuty configuration against its
actual workload. Use the AWS CLI with READ-ONLY credentials. Do not
create, modify, or delete anything.

1. Current state per active region: aws guardduty list-detectors, then
   get-detector + list-features (or get-detector's Features) — which
   protection plans are enabled: S3 Protection, EKS Protection,
   Malware Protection (EC2), RDS Protection, Lambda Protection,
   Runtime Monitoring.
2. Match plans to reality:
   - EKS Protection on? → aws eks list-clusters (empty = pure waste)
   - RDS Protection on? → aws rds describe-db-instances/clusters
   - Malware Protection on? → any EBS-backed EC2 at all?
     aws ec2 describe-instances
   - Lambda Protection on? → aws lambda list-functions (volume?)
   - S3 Protection on? → buckets with sensitive-looking data?
   - Runtime Monitoring on? → ECS/EKS/EC2 fleet size — agent
     vCPU-hours on a tiny fleet rarely pay.
3. Spend attribution: Cost Explorer filtered to GuardDuty grouped by
   usage type (PaidGuardDutyEksAuditLogsBytes, EbsMalwareScanGb, etc.)
   — the top 1–2 usage types are usually 60–80% of the bill. If still
   in the 30-day trial, use the console's projected-cost-per-plan
   instead and SAY SO (that's the cheapest decision window).
4. Regions: detectors enabled in regions with no workloads.

Report: plan-vs-workload table (plan | enabled? | service present? |
est. $/mo | verdict), regions to disable, and the compliance caveat
(document deliberate disables in the control matrix; keep plans a SOC
actually consumes). Change nothing.
Works with any assistant that can run shell commands.

Want the guided version?

The GuardDuty Selective Protection walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough