# When Generating Amazon GuardDuty Sample Findings Resulted in a $200 Charge from AWS DevOps Agent

# When Generating Amazon GuardDuty Sample Findings Resulted in a $200 Charge from AWS DevOps Agent

I will introduce a failure case where accidentally executing the GuardDuty sample finding generation API caused all 406 findings to flow into AWS DevOps Agent via an EventBridge rule that had been left in place, resulting in approximately $200 in charges.
2026.07.17

This page has been translated by machine translation. View original

Introduction

Have you ever used GuardDuty's sample findings generation (CreateSampleFindings)? It's a handy API that lets you bulk-generate sample Findings for testing purposes.

The other day, I wrote an article about trying out the GuardDuty AI Protection preview feature. At that time, I casually wondered "I wonder if new Finding Types have been added to the sample Findings too," and ran it without much thought.

You can probably guess what happened, but this triggered approximately $200 in charges from AWS DevOps Agent.

How It Started

To back up a bit, I had been doing some testing to integrate AWS DevOps Agent with GuardDuty after reading the following article.

https://zenn.dev/cscloud_blog/articles/devops-agent-guardduty-integration

It's a setup that passes GuardDuty Findings to Lambda via EventBridge, then hits the DevOps Agent Webhook to trigger automated investigation.

After finishing the testing, I should have naturally deleted resources like the EventBridge rule and Lambda function, but I'm embarrassed to say I left them as-is.

What Happened

Having completely forgotten that I'd left things behind, I was writing my article about GuardDuty AI Protection the other day. In the middle of that, I ran CreateSampleFindings from the AWS CLI without specifying a Finding Type.

> aws guardduty create-sample-findings --detector-id $DETECTOR_ID

With this API, if you specify a Finding Type it creates only that one, but if you don't specify one, it creates all samples.

Since I didn't specify a Finding Type this time, GuardDuty generated all available sample Findings at once.
As a result, the EventBridge rule I'd left behind faithfully reacted to the sample Findings as well, and all 406 of them flowed into DevOps Agent.

The EventBridge rule was a simple rule to capture GuardDuty events.

event-pattern.json
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"]
}

This pattern only uses source and detail-type as conditions, with no filtering on severity, Finding Type, or whether it's a sample. As a result, all GuardDuty Finding events delivered to EventBridge were forwarded to Lambda.

guardduty-sample-finding-devops-agent-billing-incident.png

The Lambda side was also for testing purposes, so there was no rate limiting, sample exclusion, or concurrency limits — it was built to simply POST received Findings directly to the DevOps Agent Webhook.

The Result

As a result of all events flowing into DevOps Agent, charges accumulated for the entire duration of those investigations.

When I checked Cost Explorer, here's the breakdown:

Usage Type Operation Usage Time Charge
APN1-investigation TRIAGE ~0.53 hours ~$16
APN1-investigation OPS1 ~6.34 hours ~$190
Total ~6.87 hours ~$200

The effective unit price is $30/hour, and TRIAGE and OPS1 (Investigation) stacked up across 406 Findings.
Because there were too many, investigations were processed sequentially, ultimately resulting in 6 hours of investigation time.

The investigation count is clearly recorded as 406.
Screenshot 2026-07-17 午後9.53.12.png

Screenshot 2026-07-17 午後9.53.43.png

Even though they were sample events, it investigated them all diligently…

Looking at the investigation results, it did identify that they were sample events.

Screenshot 2026-07-17 午後9.54.07.png

Summary

I was painfully reminded that cleaning up is part of testing when it comes to resources created for testing purposes. Forgetting to delete just one EventBridge rule can lead to unexpected charges from surprising places.

While services like AWS DevOps Agent and AI agent-type services are convenient, many of them are event-driven and automatically trigger paid investigations. If you're doing similar testing, make sure you don't forget about filters, rate limits, and cleaning up afterward.

To avoid making the same mistake, please take a moment to check whether any of your test resources are still lying around.

That's all from Jun Suzuki.

References


コスト最適化、打ちっぱなしで元通りになっていませんか

タグ付けも不要リソースの棚卸しも、施策は打てる。でも続ける仕組みがなければ、コストは数か月でじわじわ戻る。一度きりで終わらせず、FinOpsを組織に定着させる=CCoEの役割。最適化を回し続ける進め方を、無料資料にまとめました。

CCoE総合支援

FinOpsを定着させる資料をもらう

Share this article

AWSのお困り事はクラスメソッドへ