How to reduce the cost for cloudtrail logging

0

Hi All, I have multiple multi-region cloudtrail defined in single AWS account. One cloudtrail is sending logs to the security account and another cloudtrail is logging in to the local account. In the monthly bill, cloudtrail bill is showing as the massive chunk of the total billing amount. From the documents and resolution available on the internet, it seems happening due to duplication entry in the logs. However, the business requirement is to keep two cloudtrail in one account, one cloudtrail need to feed log data in the security account, and another cloudtrail to feed in the local account.

How can we reduce the cost associated with two cloudtrails with duplicate log entries?

Thanks & Regards Rimpal Johal

3 Answers
1

The first management event in each account is free and when you create multiple trails you enable delivery of multiple management events which increase your cost. Do you have excluded KMS and RDS Data API events from your trails if you don't need them?

It depends on what is configured in your cloudtrails. are these management only trail or it has data and insight events enabled as well. What is the security/compliance requirement? Do you need other events ? If not disable data and insight events.

If the requirement is to have 2 cloudtrails then there is nothing much you can do. But if the requirement is to feed security account and as well as keep local copy of cloudtrail logs then there are multiple ways depending on what you are doing with data in the security account. e.g: You can read from security account directly from the s3 bucket in the local account if you are ingesting that data into some security tool. this will allow you to remove second cloud trail.

answered 2 years ago
1

The biggest cost you'll see is having more than 1 CloudTrail set up. The "first cloudtrail" (copy) is free: https://aws.amazon.com/cloudtrail/pricing/.

I would check with requirements and see if you could centrally receive CloudTrail Logs in 1 account for security (or even use S3). One example:

If requirements do require 2 CloudTrails set up, there isn't much you can do.

jsonc
answered 2 years ago
1

Not much to add for previous answers. Key to potential cost reduction is understanding why there is a requirement for local trail (centralized trail is likely becauce auditability requirement) Maybe Cloudtrail Lake would be interesting when looking for a ways to have both centralized audit trail and sharing that with multiple accounts. https://aws.amazon.com/blogs/mt/announcing-aws-cloudtrail-lake-a-managed-audit-and-security-lake/

profile picture
EXPERT
Kallu
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions