Why did my CloudTrail cost and usage increase unexpectedly?

3 minute read
1

The costs for AWS CloudTrail have increased in my AWS account, but I don't know why.

Short description

Unexpected CloudTrail cost increases usually happen because multiple trails in the same AWS Region record the same management events. To prevent this issue, verify that you correctly configured the read and write events settings for your trails. Then, identify and remove duplicate management event records.

Note: When you use trails, you can deliver one free copy of your ongoing management events to Amazon Simple Storage Service (Amazon S3). You incur charges for additional copies of management events. For more information, see AWS CloudTrail pricing. To keep copies of your CloudTrail logs in multiple Amazon S3 buckets, manually move the data between buckets to reduce cost. For more information, see How can I copy all objects from one Amazon S3 bucket to another bucket?

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use the AWS Billing and Cost Management Console to identify duplicate CloudTrail management events records

Complete the following steps:

  1. Open the AWS Billing and Cost Management console.
  2. Choose Bills.
  3. Choose the Bill details by service tab.
  4. In AWS Services Charges, expand CloudTrail.
  5. Expand the AWS Region to view the event cost record details.
  6. Review the PaidEventsRecorded metric to identify duplicate management event records.

Note: The PaidEventsRecorded metric provides the total count and cost for all additional copies of management events in a specific Region. The DataEventsRecorded metric provides the total count and cost for data events that you activated on trails in the Region. If there are no trails with active data events in the Region, then the DataEventsRecorded metric doesn't appear.

Use Athena queries to identify duplicate CloudTrail management event records

Note: To run Athena queries on CloudTrail logs, you must create and configure a trail to send logs to an S3 bucket. 

You can use Athena to view CloudTrail management events and data events that you store in your Amazon S3 bucket. For more information, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

Remove duplicate CloudTrail management events from your account

To use the CloudTrail console to remove duplicate management events, see Updating a trail with the CloudTrail console.

To use the AWS CLI to remove duplicate management events, see Using the update-trail command to update a trail.

Monitor your CloudTrail charges

To monitor your estimated and ongoing CloudTrail charges, use Amazon CloudWatch billing alarms or AWS Budgets.

Related information

Quotas in AWS CloudTrail

Analyze security, compliance, and operational activity using AWS CloudTrail and Amazon Athena

AWS OFFICIAL
AWS OFFICIALUpdated 11 days ago
1 Comment

Line reads: "To remove duplicate CloudTrail management events from you AWS account" and should read "To remove duplicate CloudTrail management events from your AWS account"

replied 4 months ago