$3.50
Per 1 million CloudTrail events analyzed: GuardDuty pricing makes it cost-effective even at scale
30 days
Free trial period for both GuardDuty and Security Hub: sufficient to assess value before committing
270+
Security controls checked by Security Hub's CIS AWS Foundations Benchmark standard
2
Clicks to send GuardDuty findings to Security Hub: the most common integration that most teams miss

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

When AWS security comes up in a conversation, GuardDuty and Security Hub are often mentioned interchangeably as 'the AWS security tools.' They serve fundamentally different purposes, and most AWS environments benefit from running both: but many organizations enable one without the other because they do not understand what each one does.

The one-sentence version: GuardDuty watches for active threats. Security Hub shows you your overall security posture and whether your configuration meets compliance benchmarks.

What AWS GuardDuty Actually Does

GuardDuty is a managed threat detection service. It continuously analyzes three data sources that AWS makes available to it:

  1. AWS CloudTrail management events: Every API call made in your AWS account: RunInstances, CreateUser, DescribeSecurityGroups, GetSecretValue. GuardDuty looks for patterns indicating credential compromise (API calls from an unusual geography for that IAM user, calls to services the user has never used, API calls at 3 AM), account reconnaissance (extensive DescribeX calls to enumerate resources), and persistence establishment.

  2. VPC Flow Logs: Network traffic metadata for your EC2 instances and VPCs. GuardDuty looks for communications with known malicious IP addresses, cryptocurrency mining pool connections, and unusual traffic patterns indicating C2 communication.

  3. Route 53 DNS query logs: DNS queries from your EC2 instances. GuardDuty looks for queries to domain generation algorithm (DGA) domains, known C2 infrastructure, and coin mining pools.

GuardDuty does not require you to enable or forward these logs yourself: it accesses them directly through the AWS service API. This is one of its primary advantages: zero configuration overhead for the log sources.

What GuardDuty produces: Findings categorized by threat type (Backdoor, CryptoCurrency, DefenseEvasion, Discovery, Exfiltration, Impact, InitialAccess, Persistence, PrivilegeEscalation, Recon, Stealth, Trojan, UnauthorizedAccess) and severity (1-10). Each finding includes the affected resource, the specific behavior detected, and remediation recommendations.

What GuardDuty does not do: It does not check whether your S3 buckets are public, whether your IAM roles are over-permissioned, or whether your Security Groups allow unnecessary inbound traffic. Those are configuration issues, not active threats: they are Security Hub's domain.

What AWS Security Hub Actually Does

Security Hub is an aggregation and posture management service. It has two main functions:

Function 1: Findings aggregation. Security Hub collects findings from multiple AWS security services into a single unified view:

  • GuardDuty (threat detections)
  • Amazon Inspector (vulnerability assessment for EC2 and container images)
  • Amazon Macie (sensitive data in S3: PII, credentials, financial data)
  • IAM Access Analyzer (external resource access and permission analysis)
  • AWS Firewall Manager (WAF policy compliance)
  • Third-party integrations (CrowdStrike, Palo Alto, Splunk, etc.)

Without Security Hub, each of these services has its own console, its own alert mechanism, and its own data format. Security Hub normalizes all findings to the AWS Security Finding Format (ASFF) and presents them in a single dashboard with filtering, sorting, and workflow management.

Function 2: Security standards and compliance checks. Security Hub continuously evaluates your AWS account configuration against security benchmark standards:

  • CIS AWS Foundations Benchmark (Level 1 and Level 2)
  • AWS Foundational Security Best Practices
  • PCI DSS
  • NIST SP 800-53
  • SOC 2 (through AWS Audit Manager integration)

These checks evaluate things like: Is MFA enabled on the root account? Are CloudTrail logs encrypted? Are S3 buckets blocking public access? Are security group rules following least-privilege principles? Does your account have IAM password policies enforced?

Each check produces a pass/fail result with a remediation recommendation. Your aggregate Security Hub score reflects the percentage of passing controls.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

How They Work Together

GuardDuty produces active threat findings. Security Hub aggregates them alongside configuration findings and vulnerability findings into a unified view.

The integration is two-click to enable: in Security Hub, go to Integrations > AWS > Amazon GuardDuty > Accept findings. GuardDuty findings then appear in Security Hub alongside Inspector vulnerability findings and Macie data classification findings.

Why the combination matters:

A GuardDuty finding tells you: 'EC2 instance i-1234567890abcdef0 is communicating with a known cryptocurrency mining IP.'

The Security Hub context for that same instance might show: 'This EC2 instance has an Inspector finding for CVE-2024-1234 (CVSS 9.8) that was not patched, a public Security Group rule allowing SSH from 0.0.0.0/0, and is in a subnet with no VPC Flow Log monitoring.'

The combination reveals that the compromised instance had multiple configuration weaknesses that likely enabled the compromise. Without Security Hub, you are triaging the active threat without the configuration context. Without GuardDuty, you have configuration findings but no real-time threat detection.

The EventBridge integration for automated response:

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{"numeric": [">", 7]}]
  }
}

This EventBridge rule triggers on high-severity GuardDuty findings and can invoke Lambda functions to automatically isolate affected EC2 instances, revoke IAM credentials, or notify your SOC via SNS.

Cost and When to Enable Each

Both services offer 30-day free trials. Evaluate them in trial mode before committing to production costs.

GuardDuty pricing (approximate):

  • CloudTrail analysis: $3.50 per 1 million management events
  • VPC Flow Log analysis: $1.00 per GB analyzed
  • DNS log analysis: $1.00 per 1 million DNS queries

For a small AWS environment (< 10 EC2 instances, moderate API activity), GuardDuty typically costs $10-30/month. For large environments with high API activity and traffic volumes, costs scale accordingly: use the 30-day trial to establish your baseline cost.

Security Hub pricing:

  • $0.0010 per finding ingested per month (first 10,000 findings free)
  • $0.001 per security check per account per month

Security Hub costs are typically lower than GuardDuty for most environments: roughly $5-20/month for standard deployments.

When to enable GuardDuty: Enable it in every AWS account, immediately. The threat detection value is high and the cost is low. There is no valid reason to operate an AWS account without GuardDuty enabled: the 30-day trial is enough to evaluate it, and the cost to continue is low enough that disabling it after trial is a poor security tradeoff.

When to enable Security Hub: Enable it when you are ready to act on configuration findings. Security Hub's value is in the compliance checks: if you enable it and ignore the findings, it provides no security benefit. Enable it when you have at least part-time capacity to review and remediate configuration findings.

The bottom line

GuardDuty detects active threats by analyzing CloudTrail, VPC Flow Logs, and DNS logs in real time. Security Hub aggregates GuardDuty findings alongside configuration checks, vulnerability findings, and compliance posture into a unified dashboard. Enable GuardDuty in every AWS account immediately: there is no valid reason not to. Enable Security Hub when you have capacity to act on its configuration findings. The two services are complementary: GuardDuty tells you what is happening, Security Hub tells you why your configuration made it possible.

Frequently asked questions

What is the difference between AWS GuardDuty and Security Hub?

GuardDuty is a threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify active malicious activity. Security Hub is an aggregation and posture management service that collects findings from GuardDuty, Inspector, Macie, and other services into a single dashboard and evaluates your AWS configuration against security benchmarks. GuardDuty detects threats; Security Hub shows posture and collects all findings.

Do I need both AWS GuardDuty and Security Hub?

Yes. GuardDuty and Security Hub serve different purposes and complement each other. GuardDuty provides real-time threat detection that Security Hub cannot replicate. Security Hub provides configuration compliance checks and unified findings aggregation that GuardDuty does not offer. Enable GuardDuty first (immediately), then enable Security Hub when you have capacity to act on configuration findings.

How do I reduce AWS GuardDuty costs without losing coverage?

GuardDuty's three cost drivers are CloudTrail events, VPC Flow Logs, and DNS queries. To reduce cost: enable GuardDuty only for accounts and regions where you have active workloads (do not enable in unused regions); use S3 Protection selectively for buckets containing sensitive data rather than all buckets; review GuardDuty's cost breakdown in AWS Cost Explorer by filtering on the GuardDuty service to identify which accounts contribute most. For most mid-sized environments, GuardDuty costs $30-150/month: the threat detection value makes this one of the highest-ROI AWS security investments.

What should I do when GuardDuty generates a high-severity finding?

For high-severity GuardDuty findings (severity 7+): immediately identify the affected resource (IAM user, EC2 instance, or S3 bucket listed in the finding); if the finding involves an IAM credential, revoke active sessions and rotate the access key immediately; if the finding involves an EC2 instance (C2 communication, cryptomining), isolate the instance using a quarantine security group before investigating; if the finding involves an S3 bucket, check for unexpected data access or exfiltration in CloudTrail. All high-severity findings should generate a ticket in your IR workflow. Configure EventBridge rules to route GuardDuty severity 7+ findings to SNS for immediate notification.

Does AWS GuardDuty replace a SIEM?

No. GuardDuty is a threat detection service limited to AWS-native data sources. It has no visibility into on-premises systems, SaaS applications, endpoint behavior outside EC2, or non-AWS cloud environments. A SIEM aggregates logs from all of these sources and supports custom correlation rules across the full environment. GuardDuty is a complement to a SIEM: send GuardDuty findings to your SIEM via EventBridge for correlation with other security events, rather than using it as a standalone detection platform.

Which AWS GuardDuty finding types indicate the highest-severity threats and should trigger immediate response?

The highest-priority GuardDuty findings by incident frequency and impact: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS indicates EC2 instance credentials being used from outside AWS -- this is almost always an active compromise or SSRF exploitation. Backdoor:EC2/C&CActivity.B indicates confirmed command-and-control communication from an EC2 instance. Trojan:EC2/BlackholeTraffic indicates DNS resolution of a known malware domain. Impact:S3/AnomalousBehavior indicates a large or unusual S3 data operation (potential exfiltration). Persistence:IAMUser/NetworkPermissions indicates a root account or IAM user modifying network security groups in an unusual pattern. PrivilegeEscalation:IAMUser/AnomalousBehavior or AdministrativePermissions findings indicate IAM role/policy manipulation consistent with privilege escalation. For these findings: suppress nothing by default, create EventBridge rules to route them to your SIEM or a dedicated response Lambda function with PagerDuty notification. Treat any finding involving the root account as critical regardless of the specific finding type -- root account usage for anything other than account recovery is anomalous in a well-configured AWS environment.

Sources & references

  1. AWS GuardDuty Documentation
  2. AWS Security Hub Documentation
  3. AWS Security Blog: GuardDuty and Security Hub Together

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.