What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS GuardDuty Pricing and Cost Optimization: Full Coverage Without Overspending

GuardDuty pricing surprises teams that enable every protection plan without estimating costs first. The base service — CloudTrail management events, VPC Flow Logs, DNS query logs — is inexpensive for most accounts. But S3 Protection charges by CloudTrail data event volume, EKS Runtime Monitoring charges per vCPU of monitored nodes, and these costs scale with workload size in ways the base service does not.

This guide breaks down the GuardDuty pricing model by protection plan, explains which plans deliver the most security value per dollar, and covers the optimization strategies that maintain coverage while controlling costs.

Base Service Pricing

The base GuardDuty service — threat detection from CloudTrail management events, VPC Flow Logs, and DNS query logs — is priced across two dimensions: CloudTrail event volume (per million events processed) and VPC Flow Log data volume (per GB analyzed). Both use tiered pricing that decreases the per-unit cost as volume increases.

For a small-to-medium AWS account with typical usage, the base service cost falls in the $5–$50/month range per account. High-traffic accounts with large VPC Flow Log volumes can reach several hundred dollars monthly. Use the GuardDuty cost estimation feature in the console — available under Settings — to see current data volumes and projected costs before the trial ends. The 30-day free trial gives you real cost data before you commit.

Protection Plan Costs and Value

S3 Protection adds cost based on CloudTrail S3 data event volume — the number of API calls (GetObject, PutObject, DeleteObject, etc.) processed. For environments with heavy S3 usage (CDN origin buckets, data lake pipelines), this cost can be substantial. For environments with moderate S3 use, it's typically a modest increment. Use the S3 Protection cost estimator and compare against the risk exposure from S3 data exfiltration — for any bucket holding sensitive data, this protection plan is generally worth its cost.

EKS Audit Log Monitoring prices per million audit log events analyzed. For organizations with small-to-medium EKS clusters, this adds a manageable increment to the base cost. For large EKS deployments with high API server activity, it can be more significant. Enable this for production EKS clusters; evaluate cost vs. coverage for development clusters.

EKS Runtime Monitoring prices per vCPU-hour of monitored nodes, equivalent to the EC2 instance type running the node. For clusters with many large nodes running continuously, this cost can exceed the base GuardDuty cost. Evaluate whether the threat detection it provides is necessary given your cluster's workload type and risk profile.

RDS Protection and Lambda Protection are priced at very low rates per instance/function monitored and add minimal cost for most environments. Enable both — the security signal value outweighs the incremental cost.

Malware Protection charges per GB scanned, and scans only run when triggered by relevant GuardDuty findings. In most environments, the cost is near zero because scans occur infrequently. Enable it — you are unlikely to pay significant amounts unless your environment is actively compromised.

Cost Optimization Strategies

The primary lever for controlling GuardDuty costs is managing the data sources that drive the highest variable costs: VPC Flow Logs and S3 data events.

For VPC Flow Logs, consider logging only rejected traffic in development and staging accounts rather than all traffic. Rejected traffic captures security events (blocked port probes, failed connection attempts) without the volume overhead of logging every accepted connection. Production accounts should log all traffic for investigation purposes, but this distinction can reduce Flow Log processing costs significantly in lower-environment accounts.

For S3 Protection, you can disable it for specific buckets that have no sensitive data and generate high API traffic, then enable it selectively for sensitive buckets. This requires bucket-level configuration in the GuardDuty console and reduces coverage for the excluded buckets — make this tradeoff consciously rather than blanket-disabling S3 Protection to save cost.

Suppression rules reduce finding noise but do not reduce costs — GuardDuty processes all data regardless of what findings it generates. Cost reduction comes only from reducing the data volume processed.

Multi-Account Cost Attribution

In multi-account Organizations deployments, GuardDuty charges accrue in each member account individually. The delegated administrator account does not incur charges for analyzing member account data. Cost Explorer in the management account shows per-account GuardDuty costs, enabling you to identify accounts with unusually high GuardDuty spend — which may indicate high data volumes that warrant investigation.

FAQ

Is the 30-day GuardDuty free trial available for all protection plans?

The 30-day free trial covers the base GuardDuty service. Some protection plans have separate free trials. S3 Protection has a 30-day free trial in each account where it is enabled. EKS Audit Log Monitoring and Runtime Monitoring also have free trial periods. Check the GuardDuty pricing page for current trial terms, as these can change.

How can I predict GuardDuty costs before enabling in all accounts?

Enable GuardDuty in a representative sample account (one with typical workload characteristics) and monitor the cost estimation dashboard for one to two weeks. Extrapolate to the full account count to estimate organizational spend. This is more accurate than theoretical estimates based on infrastructure size.

Can I set a budget alert for GuardDuty costs?

Yes. Create an AWS Budget filtered to the GuardDuty service with an alert at a threshold that represents unexpected spend growth. GuardDuty costs should be relatively stable month-over-month for stable workloads — a significant cost increase may indicate that a protection plan was inadvertently enabled or that workload data volume grew unexpectedly.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO