Amazon GuardDuty has started publishing usage metrics to Amazon CloudWatch
This page has been translated by machine translation. View original
Hello. This is Omori from tech support.
My daughter recently got hooked on Pokemon GO.
As a result, my phone battery drains quickly.
Introduction
Metrics that can be used to check usage in GuardDuty are now available.*1
I wasn't aware of it, but it seems this was released in 2025/11.*2
Until now, I think we could only track usage through Cost and Usage Reports or Cost Explorer, but now we can understand how much analysis was done in GuardDuty during a specified period.
Usage Metrics
The metrics available for checking usage are as follows:
| Protection Plan | Data Source | Metric Name | Unit | Description |
|---|---|---|---|---|
| Basic Threat Detection | CloudTrailEvents | AnalyzedCount | Count | Number of CloudTrail management events analyzed |
| Basic Threat Detection | VPCFlowLogDNSLogEvents | AnalyzedBytes | Bytes | Amount of VPC Flow Logs and DNS Logs analyzed |
| EKS Protection | KubernetesAuditLogs | AnalyzedCount | Count | Number of Amazon EKS audit log events analyzed |
| S3 Protection | S3DataEvents | AnalyzedCount | Count | Number of S3 data events analyzed |
| Runtime Monitoring | RuntimeMonitoringEC2 | MonitoredVcpuHours | Count (vCPU-hours) | EC2 vCPU hours monitored by Runtime Monitoring |
| Runtime Monitoring | RuntimeMonitoringEKS | MonitoredVcpuHours | Count (vCPU-hours) | Amazon EKS vCPU hours monitored by Runtime Monitoring |
| Runtime Monitoring | RuntimeMonitoringFargate | MonitoredVcpuHours | Count (vCPU-hours) | Fargate vCPU hours monitored by Runtime Monitoring |
| Malware Protection for EC2 | OnDemandEBSSnapshot | ScannedBytes | Bytes | Amount of on-demand EBS snapshot data scanned |
| Malware Protection for EC2 | OnDemandEBSVolume | ScannedBytes | Bytes | Amount of on-demand EBS volume data scanned |
| Malware Protection for EC2 | MalwareProtectionEBS | ScannedBytes | Bytes | Amount of EBS data scanned by Malware Protection |
| RDS Protection | RDS | MonitoredAcuHours | Count (ACU hours) | Amazon RDS Aurora capacity units monitored |
| RDS Protection | RDSLimitless | MonitoredAcuHours | Count (ACU hours) | Amazon RDS Aurora Limitless ACU monitoring hours |
| RDS Protection | AuroraScaleout | MonitoredAcuHours | Count (ACU hours) | Aurora scale-out ACU hours monitored |
| RDS Protection | RDS | MonitoredVcpuHours | Count (vCPU-hours) | Amazon RDS vCPU monitoring hours |
| Lambda Protection | LambdaNetworkLogs | AnalyzedBytes | Bytes | Amount of Lambda network logs analyzed |
The following metrics can be viewed on a single screen in the "Usage" screen of the GuardDuty console navigation pane.
Malware Protection for S3 Usage Metrics
These metrics don't appear in the GuardDuty console, so you need to check them in the CloudWatch console.
| Metric Name | Unit | Description |
|---|---|---|
| CompletedScanCount | Count | Number of S3 object malware scans completed in a specific time frame. |
| FailedScanCount | Count | Number of S3 object malware scans that failed in a specific time frame. |
| SkippedScanCount | Count | Number of S3 object malware scans skipped in a specific time frame. |
| InfectedScanCount | Count | Number of S3 object malware scans that detected potentially malicious objects in a specific time frame. |
| CompletedScanBytes | Count | Number of S3 object bytes scanned in a specific time frame. |
Checking the Number of CloudTrail Management Events Analyzed for a Specific Period
Based on the blog "How to display the total amount of data for a specified period in CloudWatch dashboard and display method using Metric Math", I retrieved the total metrics for the target period.
In my test environment, the number of CloudTrail management events analyzed in 2026/03 was 35,657.
Note: The capture shows "35.7 K", but I confirmed the AnalyzedCount value of 35657 by downloading a CSV file from the console's action button in the top right.
■Metric specification conditions
-
Target period (2026/03/01 09:00:00–2026/04/01 08:59:59)
Note: The period is set considering that monthly usage is aggregated in UTC time -
Statistics: Sum selected in the Graphed metrics tab
-
Widget type "Number" in the Options tab with value "Time range value represents value from the entire time range" selected
This matches the Cost Explorer usage type "APN1-PaidEventsAnalyzed (Events)" usage amount of "35,657.00 Events".
What became possible with the publication of metrics
-
As metrics are published within 24 hours, you can track usage chronologically before it's reflected in Cost Explorer
Note: According to official Cost Explorer documentation, data is reflected up to the previous day -
You can set alarms for GuardDuty usage metrics
-
You can calculate costs based on aggregated usage and the pricing documentation
Conclusion
With the publication of usage metrics, it's now possible to track actual usage over time.
It's also possible to calculate costs before they're reflected in Cost Explorer.
I hope this information is helpful to someone.
References
1.Monitoring GuardDuty Usage and Estimating Cost
2.Amazon GuardDuty Documentation History
About Classmethod Operations, Inc.
We are the operations company of the Classmethod Group.
We are a group of experts with specialized teams in operations, maintenance development, support, IT systems, and back office, providing everything from business outsourcing to problem solving and high-value-added services through "mechanisms" that fully utilize IT and AI.
We are recruiting members for various positions.
If you are interested in our culture, mechanisms, and work style that aim to achieve both "operational excellence" and "working and living in your own way," please visit Classmethod Operations, Inc. Recruitment Site.
*We changed our company name from Annotation Inc. in January 2026
