How can I optimize CloudTrail costs and still maintain compliance?

Resolution

Review and consolidate CloudTrail trails

Multiple trails that record the same events can cause increased CloudTrail costs:

• Identify all current trails in your AWS account and across your organization.
• Check for duplicate trails that record the same management events.
• Keep one trail for management event logs (which is free), and turn off management event recording on other trails.

For more information, see Consolidate and query AWS CloudTrail data across accounts and regions using AWS CloudTrail Lake.

Optimize event logs

To reduce costs, be selective about the events that you log.

For management events:

• Edit your trail and uncheck "Read" events if they're not critical. Keep only "Write" events selected. For more information on how to update a trail, see Updating a trail with the CloudTrail console.
• Turn off high-volume services such as AWS Key Management Service (AWS KMS) and Amazon Relational Database Service (Amazon RDS) if they aren't essential for your compliance needs.

To exclude AWS KMS and Amazon RDS events, use the following AWS Command Line Interface (AWS CLI) command:

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you use the most recent AWS CLI version.

aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '\[{"ReadWriteType": "All","IncludeManagementEvents":true,"ExcludeManagementEventSources": \["kms.amazonaws.com","rds.amazonaws.com"\]}\]'

For data events:

• Review and remove unnecessary resource monitors, such as Amazon Simple Storage Service (Amazon S3) buckets or AWS Lambda functions that aren't production critical.
• Use advanced event selectors to specify exactly what events to log.

Manage CloudTrail Lake usage

If you use CloudTrail Lake, then take the following actions:

• Use either CloudTrail Lake or an organization trail to avoid duplicate logs.
• If you use CloudTrail Lake, turn off management events in your organization trail.
• Monitor the following ingestion costs with Amazon CloudWatch metrics:
  Namespace: AWS/CloudTrail
  Metric name: HourlyDataIngested

Monitor costs with Cost Explorer

Use AWS Cost Explorer to analyze CloudTrail usage and costs.

Optimize trail configuration

Consider your log needs and adjust your trail configuration through the following actions:

• If appropriate for your use case, change from multi-Region to single-Region logging.
• If you turn on single-Region logging for your home Region only, then you can't view logs for global services that are available in the us-east-1 Region. This includes services such as AWS Identity and Access Management (IAM).

For more information, see Receiving CloudTrail log files from multiple Regions.

Manage retention and storage

Improve your log retention and storage strategy through the following actions:

• Review your Amazon S3 bucket lifecycle policies to effectively manage objects and remove logs beyond your required retention period.
• Consider Amazon S3 Intelligent-Tiering or Amazon S3 Glacier storage classes for long-term retention of older logs.

Regularly review and optimize

Regularly review and optimize your CloudTrail and CloudWatch configurations through the following actions:

• Conduct monthly or quarterly reviews of your needs and configurations.
• Use Cost Explorer and CloudWatch Metrics to monitor and analyze your usage and costs over time.
• Stay informed about new CloudTrail features or price changes that might affect your costs.

Related information

AWS CloudTrail pricing

Managing CloudTrail trail costs

Logging data events