Managing CloudTrail trail costs - Amazon CloudTrail
Trail configurationSee also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing CloudTrail trail costs

You can configure and manage CloudTrail trails in ways that capture the data you need while remaining cost-effective. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing.

Trail configuration

CloudTrail offers flexibility in how you configure trails in your account. Some decisions that you make during the setup process require that you understand the impacts to your CloudTrail bill. The following are examples of how trail configurations can influence your CloudTrail bill.

Multiple trail creation

The first copy of management events within each region is delivered free of charge. For example, if your account has 2 single-Region trails, a trail in us-east-1 and another trail in us-west-2, there are no CloudTrail charges because there is only one trail logging events in each respective Region. However, if your account has a multi-Region trail and an additional single-Region trail, the single-Region trail will incur charges because the multi-Region trail is already logging events in each Region.

If you create more trails that deliver the same management events to other destinations, those subsequent deliveries incur CloudTrail costs. You can do this to allow different user groups (such as developers, security personnel, and IT auditors) to receive their own copies of log files. For data events, all deliveries incur CloudTrail costs, including the first.

As you create more trails, it is especially important to be familiar with your logs, and understand the types and volumes of events that are generated by resources in your account. This helps you anticipate the volume of events that are associated with an account, and plan for trail costs. For example, using Amazon KMS-managed server-side encryption (SSE-KMS) on your S3 buckets can result in a large number of Amazon KMS management events in CloudTrail. Larger volumes of events across multiple trails can also influence costs.

To help limit the number of events that are logged to your trail, you can filter out Amazon KMS events by choosing Exclude Amazon KMS events on the Create trail or Update trail pages. When using basic event selectors, you can only filter management events. However, you can use advanced event selectors to filter both management and data events.

You can use advanced event selectors to include or exclude data events based on the eventName, resources.ARN, and readOnly fields, giving you the ability to log only the data events of interest. For more information, see Filtering data events by using advanced event selectors.

For more information about creating and updating a trail, see Creating a trail with the CloudTrail console or Updating a trail with the CloudTrail console in this guide.

Amazon Organizations

When you set up an Organizations trail with CloudTrail, CloudTrail replicates the trail to each member account within your organization. The new trail is created in addition to any existing trails in member accounts. Be sure that the configuration of your organization trail matches how you want trails configured for all accounts within an organization, because the organization trail configuration propagates to all accounts.

Because Organizations creates a trail in each member account, an individual member account that creates an additional trail to collect the same management events as the Organizations trail is collecting a second copy of events. The account is charged for the second copy. Similarly, if an account has a multi-Region trail, and creates a second trail in a single Region to collect the same management events as the multi-Region trail, the trail in the single Region is delivering a second copy of events. The second copy incurs charges.

See also