GuardDuty for threat detection in AWS - Time & Space Complexity

We want to understand how the time to detect threats with GuardDuty changes as the amount of monitored data grows.

How does GuardDuty's processing time grow when it analyzes more network and account activity?

Analyze the time complexity of the following operation sequence.

    aws guardduty create-detector --enable
    aws guardduty create-members --detector-id  --account-details file://accounts.json
    aws guardduty start-monitoring-members --detector-id 
    aws guardduty list-findings --detector-id 
    aws guardduty get-findings --detector-id  --finding-ids 
    

This sequence enables GuardDuty, adds accounts to monitor, starts monitoring, and retrieves threat findings.

Identify the API calls, resource provisioning, data transfers that repeat.

• Primary operation: GuardDuty analyzing incoming data streams for threats.
• How many times: This analysis happens continuously and scales with the volume of monitored data.

As the amount of network and account activity increases, GuardDuty processes more data to find threats.

Input Size (n)	Approx. Api Calls/Operations
10 GB data	10 units of threat analysis
100 GB data	100 units of threat analysis
1000 GB data	1000 units of threat analysis

Pattern observation: The processing grows roughly in direct proportion to the amount of data monitored.

Time Complexity: O(n)

This means the time to detect threats grows linearly as the monitored data increases.

[X] Wrong: "GuardDuty's detection time stays the same no matter how much data it monitors."

[OK] Correct: More data means more analysis work, so detection time grows with data volume.

Understanding how cloud security services scale with data helps you design systems that stay secure as they grow.

"What if GuardDuty used sampling instead of analyzing all data? How would the time complexity change?"