The Cloud Tax Hidden in Your Security Logs

Most cloud cost conversations focus on rightsizing, reserved instances, and idle resources. Those are real savings. But there is a category of cloud spend that almost never appears in a FinOps review: the cost of security activity itself.

Not the cost of your security tools. The cost of the malicious activity hitting your infrastructure every day, processed and billed by AWS whether it succeeds or not.

This post breaks down exactly where that hidden tax lives, what it looks like in your bill, and how to measure it.

What the Hidden Tax Actually Is

When a bot scans your public-facing endpoints, AWS WAF processes every single request. When GuardDuty analyses your CloudTrail logs for suspicious activity, AWS charges per event analysed. When an attacker attempts to exfiltrate data from an S3 bucket, the data transfer costs appear in your bill regardless of whether your controls stopped it.

None of this is labeled “security cost” in Cost Explorer. It is labeled as WAF request charges, GuardDuty usage, and data transfer. It looks like normal infrastructure spend.

The hidden tax is not a rounding error. Here is what the numbers look like at scale.

The AWS Pricing Reality

AWS WAF

AWS WAF charges $0.60 per million requests processed. This applies to every request your WAF evaluates, including blocked malicious traffic.

A web application receiving 50 million requests per month, with 30% of that traffic being malicious bots and scanners (a conservative estimate for a public-facing application), is paying approximately $30/month in WAF request charges for traffic that never reached your application. At 200 million requests per month, that is $120/month in WAF costs driven entirely by attack volume.

Source: AWS WAF pricing

AWS GuardDuty

GuardDuty charges approximately $4.00 per million CloudTrail management events analysed in us-east-1. For an AWS account processing 40 million CloudTrail management events per month, that is roughly $160/month in GuardDuty costs.

Add VPC Flow Log and DNS log analysis: 3,000 GB of VPC Flow Logs and DNS logs analysed totals approximately $1,625/month. For accounts with high network activity or active threat detection, GuardDuty costs can exceed EC2 costs for smaller workloads.

Add S3 protection: 1 billion CloudTrail S3 data events analysed totals approximately $600/month.

Source: AWS GuardDuty pricing

CloudWatch Log Ingestion

When attack volume increases, log volume increases with it. WAF logs, VPC Flow Logs, and CloudTrail logs all feed into CloudWatch. AWS charges $0.50 per GB ingested. A sustained DDoS or scanning campaign can double your CloudWatch log ingestion costs within a billing cycle, with no corresponding increase in legitimate application activity.

The Combined Picture

For a mid-size AWS account under sustained attack pressure, the combined WAF, GuardDuty, and CloudWatch costs driven by malicious activity can represent a meaningful and often unmeasured portion of the monthly bill. As a scenario example: an account with 200 million WAF requests per month (with a portion being malicious bots and scanners, which is typical for public-facing applications), 40 million CloudTrail events in GuardDuty, and elevated VPC Flow Log volume could see $500 to $2,000 per month in security-driven infrastructure costs that appear as normal spend in Cost Explorer. None of it appears as a security line item.

How It Appears in Cost Explorer

This is the part that makes it hard to catch.

In Cost Explorer, WAF charges appear under “AWS WAF” in the Security, Identity, and Compliance category. GuardDuty appears under the same category. But CloudWatch log ingestion from WAF and VPC Flow Logs appears under “Amazon CloudWatch” in the Management and Governance category.

A FinOps team reviewing the bill sees a CloudWatch cost increase and investigates log retention policies. They do not see it as a security cost. They do not correlate it with an increase in attack volume. The two signals are in different categories, reviewed by different teams, on different schedules.

How to Measure Your Hidden Security Tax

Three steps that require no new tooling:

1. Scope your WAF costs by rule action — in AWS WAF, you can view metrics by rule action (Allow, Block, Count) in CloudWatch. Compare your Block count against your total request count. The blocked percentage is your attack traffic ratio. Multiply by your WAF request cost to get the monthly cost of malicious traffic.

2. Review GuardDuty usage by finding type — in the GuardDuty console, the Usage page shows cost breakdown by data source. If your CloudTrail management event costs are high, check whether that correlates with a high volume of credential-related findings.

3. Set a Cost Anomaly Detection monitor scoped to security services — create a separate monitor in AWS Cost Anomaly Detection covering WAF, GuardDuty, Shield, and Security Hub. A spike in this monitor that does not correlate with a new security tool deployment is worth investigating as an increase in attack activity.

Note: If WAF is not enabled on your public-facing endpoints, the hidden tax argument does not apply in the same way. Without WAF, you are not paying to process blocked traffic. You are paying for the damage that gets through.

Why This Matters for SecFinOps

The hidden security tax is not just a cost problem. It is a signal problem.

A sustained increase in WAF block rates means your attack surface is under more pressure than it was last month. A spike in GuardDuty CloudTrail analysis costs means more suspicious API activity is being detected. These are security signals that happen to be visible in your billing data before they surface as formal incidents.

Most FinOps teams see the cost increase and look for a configuration to fix. Most security teams never see the billing data at all. The signal sits in the bill, unread, until the incident is already underway.

That is the gap SecFinOps is built to close.

Start your free CostObserver beta — read-only access, no credit card, connects in minutes.