Why did my CloudTrail cost and usage increase unexpectedly?
3 minute read
I'm seeing an unexpected increase in cost for AWS CloudTrail in my AWS account. How do I determine what's causing the cost increase?
Unexpected CloudTrail cost increases usually occur when multiple trails in the same AWS Region record the same management events. To prevent CloudTrail from logging duplicate management events, verify that your trails' Read and Write events settings are configured correctly. For more information, see Trail configuration.
Note: You can deliver one copy of your ongoing management events to Amazon Simple Storage Service (Amazon S3) for free by creating trails. Additional copies of management events incur a charge. For more information, see AWS CloudTrail pricing. To keep copies of your CloudTrail logs in multiple Amazon S3 buckets, you can manually move the data between buckets to reduce cost. For instructions, see How can I copy all objects from one Amazon S3 bucket to another bucket?
Expand the AWS Region to view the event cost record details. Then, review the PaidEventsRecorded metric to identify duplicate management event records.
Note: The PaidEventsRecorded metric provides the total count and cost for all additional copies of management events recorded in a specific Region. The DataEventsRecorded metric provides the total count and cost for data events activated on trails in that Region. If the Region has no trails with data events activated, then the DataEventsRecorded metric doesn't appear.
To identify duplicate CloudTrail management event records using Athena queries
Note: To run Athena queries on CloudTrail logs, you must have a trail created and configured to send logs to an S3 bucket. For more information, see Creating a trail.
You can use Athena to view CloudTrail management events (and data events) stored in your Amazon S3 bucket.