It is recommended to configure alerts for critical findings mail messages sent via Amazon SNS , or via integrations using AWS Lambda to Instant messaging services such as Slack.
Ensure someone on your organization is acting on critical security findings as they are detected. The improvement to the security posture that detective controls such as Guardduty provide is only when there’s someone analyzing the findings (at least the critical/high severity findings as a QuickWin), and takes action to remediate.
A simple way to centrally visualize the critical security findings and simplify the configuration of these alarms for multiple services is to enable AWS Security Hub to centralize the security findings and configure automatic notifications. (there’s no cost for the first 10,000 events/account/region/month and the cost over that free tier is only $0.00003 per event, see pricing below)
If you have already a Security Information and Event Management (SIEM) solution in your organization, you can also send the security findings from GuardDuty and other sources to the SIEM, and launch alerts from there.
If you don’t know how to act on these critical findings and you believe your account may be compromised, open a support ticket, and engage with the AWS Customer Incident Response Team (AWS CIRT) . The CIRT team provides free assistance on incident response for customers having an active security incident. If you have AWS Enterprise support also contact your AWS Technical Account Manager.
https://aws.amazon.com/security-hub/pricing
The service has a 30-day trial period (free trial)
The service has a site to verify current usage and estimate future usage.