Corey Quinn Profile picture
Find me on the butterfly site; same username.

Jan 31, 2022, 9 tweets

So let's find out why GuardDuty is the spendiest @awscloud service in one of my AWS accounts for January.

Okay, a crapton of CloudTrail events. Hmm.

This account is part of an organization. I'd have expected this to show up either in the CloudTrail bucket account, or the org payer management account.

GuardDuty console in this account confirms it.

Daily GuardDuty cost is fairly spikey.

Okay, this makes some sense. It's a "legacy" account that predates my adoption of Control Tower. Instead of sending cloudtrail logs to the central logging / audit account, it's using its own.

And there's a bunch of stuff in this account.

The first management event trail is free. Cool! The second would cost me ~$6.50 for this, which is also fine.

Why is GuardDuty costing 4x that?

Well that'd do it; GuardDuty analysis of the CloudTrail events is 4x more expensive than the CloudTrail cost would be (disregarding the first free trail, obviously).

Now, wtf is causing that many events without showing up on the bill?

Time to click the suspicious and frightening "Create Athena Table" button.

And this thing tells me that it's a third party vendor I was playing around with making 9.6 million queries against the account so far this month. Somehow I'm only being billed for 6 million of those in GuardDuty. Hmm.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling