
# When Generating Amazon GuardDuty Sample Findings Resulted in a $200 Charge from AWS DevOps Agent
This page has been translated by machine translation. View original
Introduction
Have you ever used GuardDuty's sample findings generation (CreateSampleFindings)? It's a handy API that lets you bulk-generate sample Findings for testing purposes.
The other day, I wrote an article about trying out the GuardDuty AI Protection preview feature. At that time, I casually wondered "I wonder if new Finding Types have been added to the sample Findings too," and ran it without much thought.
You can probably guess what happened, but this triggered approximately $200 in charges from AWS DevOps Agent.
How It Started
To back up a bit, I had been doing some testing to integrate AWS DevOps Agent with GuardDuty after reading the following article.
It's a setup that passes GuardDuty Findings to Lambda via EventBridge, then hits the DevOps Agent Webhook to trigger automated investigation.
After finishing the testing, I should have naturally deleted resources like the EventBridge rule and Lambda function, but I'm embarrassed to say I left them as-is.
What Happened
Having completely forgotten that I'd left things behind, I was writing my article about GuardDuty AI Protection the other day. In the middle of that, I ran CreateSampleFindings from the AWS CLI without specifying a Finding Type.
> aws guardduty create-sample-findings --detector-id $DETECTOR_ID
With this API, if you specify a Finding Type it creates only that one, but if you don't specify one, it creates all samples.
Since I didn't specify a Finding Type this time, GuardDuty generated all available sample Findings at once.
As a result, the EventBridge rule I'd left behind faithfully reacted to the sample Findings as well, and all 406 of them flowed into DevOps Agent.
The EventBridge rule was a simple rule to capture GuardDuty events.
{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"]
}
This pattern only uses source and detail-type as conditions, with no filtering on severity, Finding Type, or whether it's a sample. As a result, all GuardDuty Finding events delivered to EventBridge were forwarded to Lambda.

The Lambda side was also for testing purposes, so there was no rate limiting, sample exclusion, or concurrency limits — it was built to simply POST received Findings directly to the DevOps Agent Webhook.
The Result
As a result of all events flowing into DevOps Agent, charges accumulated for the entire duration of those investigations.
When I checked Cost Explorer, here's the breakdown:
| Usage Type | Operation | Usage Time | Charge |
|---|---|---|---|
| APN1-investigation | TRIAGE | ~0.53 hours | ~$16 |
| APN1-investigation | OPS1 | ~6.34 hours | ~$190 |
| Total | ~6.87 hours | ~$200 |
The effective unit price is $30/hour, and TRIAGE and OPS1 (Investigation) stacked up across 406 Findings.
Because there were too many, investigations were processed sequentially, ultimately resulting in 6 hours of investigation time.
The investigation count is clearly recorded as 406.


Even though they were sample events, it investigated them all diligently…
Looking at the investigation results, it did identify that they were sample events.

Summary
I was painfully reminded that cleaning up is part of testing when it comes to resources created for testing purposes. Forgetting to delete just one EventBridge rule can lead to unexpected charges from surprising places.
While services like AWS DevOps Agent and AI agent-type services are convenient, many of them are event-driven and automatically trigger paid investigations. If you're doing similar testing, make sure you don't forget about filters, rate limits, and cleaning up afterward.
To avoid making the same mistake, please take a moment to check whether any of your test resources are still lying around.
That's all from Jun Suzuki.

