Managing CloudTrail trail costs

As a best practice, we recommend using AWS services and tools that can help you manage CloudTrail costs. You can also configure and manage CloudTrail trails in ways that capture the data you need while remaining cost-effective. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

Tools to help manage costs

AWS Budgets, a feature of AWS Billing and Cost Management, lets you set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.

As you create multiple trails, creating a budget for CloudTrail by using AWS Budgets is a recommended best practice, and can help you track your CloudTrail spending. Cost-based budgets help promote awareness of how much you might be billed for your CloudTrail use. Budget alerts notify you when your bill reaches a threshold that you define. When you receive a budget alert, you can make changes before the end of the billing cycle to manage your costs.

After you create a budget, you can use AWS Cost Explorer to see how your CloudTrail costs are influencing your overall AWS bill. In AWS Cost Explorer, after adding CloudTrail to the Service filter, you can compare your historical CloudTrail spending to that of your current month-to-date (MTD) spending, by both Region and account. This feature helps you monitor and detect unexpected costs in your monthly CloudTrail spending. Additional features in Cost Explorer let you compare CloudTrail spending to monthly spending at the specific resource level, providing information about what might be driving cost increases or decreases in your bill.

Note

Though you can apply tags to CloudTrail trails, AWS Billing cannot currently use tags applied to trails for cost allocation. Cost Explorer can show costs for CloudTrail Lake event data stores and for the CloudTrail service as a whole.

To get started with AWS Budgets, open AWS Billing and Cost Management, and then choose Budgets in the left navigation bar. We recommend configuring budget alerts as you create a budget to track CloudTrail spending. For more information about how to use AWS Budgets, see Managing Your Costs with Budgets and Best Practices for AWS Budgets.

Trail configuration

CloudTrail offers flexibility in how you configure trails in your account. Some decisions that you make during the setup process require that you understand the impacts to your CloudTrail bill. The following are examples of how trail configurations can influence your CloudTrail bill.

Multiple trail creation

The first copy of management events within each region is delivered free of charge. For example, if your account has 2 single-Region trails, a trail in us-east-1 and another trail in us-west-2, there are no CloudTrail charges because there is only one trail logging events in each respective Region. However, if your account has a multi-Region trail and an additional single-Region trail, the single-Region trail will incur charges because the multi-Region trail is already logging events in each Region.

If you create more trails that deliver the same management events to other destinations, those subsequent deliveries incur CloudTrail costs. You can do this to allow different user groups (such as developers, security personnel, and IT auditors) to receive their own copies of log files. For data events, all deliveries incur CloudTrail costs, including the first.

As you create more trails, it is especially important to be familiar with your logs, and understand the types and volumes of events that are generated by resources in your account. This helps you anticipate the volume of events that are associated with an account, and plan for trail costs. For example, using AWS KMS-managed server-side encryption (SSE-KMS) on your S3 buckets can result in a large number of AWS KMS management events in CloudTrail. Larger volumes of events across multiple trails can also influence costs.

To help limit the number of events that are logged to your trail, you can filter out AWS KMS or Amazon RDS Data API events by choosing Exclude AWS KMS events or Exclude Amazon RDS Data API events on the Create trail or Update trail pages. When using basic event selectors, you can only filter management events. However, you can use advanced event selectors to filter both management and data events. You can use advanced event selectors to include or exclude data events based on the resources.type, eventName, resources.ARN, and readOnly fields, giving you the ability to log only the data events of interest. For more information about configuring these fields, see AdvancedFieldSelector. For more information about creating and updating a trail, see Creating a trail or Updating a trail in this guide.

AWS Organizations

When you set up an Organizations trail with CloudTrail, CloudTrail replicates the trail to each member account within your organization. The new trail is created in addition to any existing trails in member accounts. Be sure that the configuration of your organization trail matches how you want trails configured for all accounts within an organization, because the organization trail configuration propagates to all accounts.

Because Organizations creates a trail in each member account, an individual member account that creates an additional trail to collect the same management events as the Organizations trail is collecting a second copy of events. The account is charged for the second copy. Similarly, if an account has a multi-Region trail, and creates a second trail in a single Region to collect the same management events as the multi-Region trail, the trail in the single Region is delivering a second copy of events. The second copy incurs charges.

See also

• AWS CloudTrail Pricing

• Managing your costs with AWS Budgets

• Getting started with Cost Explorer

• Prepare for creating a trail for your organization