GuardDuty Lambda Protection
Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked in your AWS environment. When you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs. This includes VPC Flow Logs from all Lambda functions for your account (including those logs that don't use VPC networking) and logs that get generated when Lambda function gets invoked. When GuardDuty identifies suspicious network traffic that is indicative of the presence of a potentially malicious piece of code in your Lambda function, GuardDuty generates one or more Lambda Protection finding types.
- 30-day free trial
-
The following list explains how the 30-day free trial works for your account:
-
When you enable GuardDuty in an AWS account in a new Region for the first time, you get a 30-day free trial. In this case, GuardDuty will also enable Lambda Protection, which is included in the free trial.
-
When you are already using GuardDuty and decide to enable Lambda Protection for the first time, your account in this Region will get a 30-day free trial for Lambda Protection.
-
You can choose to disable Lambda Protection at any time. If there are free trial days left in your account in a Region, you can use them if you ever choose to enable Lambda Protection again.
-
During the 30-day free trial, you can get an estimate of your usage costs in that account and Region. After the 30-day free trial ends, Lambda Protection doesn't get disabled automatically. Your account in this Region will start incurring usage cost. For more information, see Estimating GuardDuty usage cost.
-
Lambda network activity logs are subject to change, including expansion to other network activity such as DNS query data generated by invoking the Lambda functions. The expansion into other forms of network activity monitoring will increase the volume of data that GuardDuty will process for Lambda Protection. This will directly impact the usage cost of Lambda Protection. Whenever GuardDuty starts monitoring an additional network activity log, it will provide a notice to the accounts that have turned on Lambda Protection, at least 30 days prior to the release.
Note
Lambda Network Activity Monitoring doesn't include the logs for Lambda@Edge functions.
Lambda Network Activity Monitoring
When you enable Lambda Protection, GuardDuty monitors Lambda network activity logs that gets generated when a Lambda function, associated to your account, gets invoked. This helps you detect potential security threats to the Lambda function. For Lambda functions that are configured to use VPC networking, you don't need to enable VPC flow logs for the elastic network interfaces (ENI) created by Lambda for GuardDuty. GuardDuty only charges for the amount of Lambda network activity logs data processed (in GB) to generate a finding. GuardDuty optimizes cost by applying smart filters and analyzing a subset of Lambda network activity logs that are relevant to threat detection.
GuardDuty doesn't manage your Lambda network activity logs (including VPC and non-VPC flow logs), or make them accessible in your account.
