How do I identify and reduce unexpected CloudWatch charges across Regions?

Short description

The CloudWatch charges that you see in Cost Explorer are based on the resources and APIs that you use. The charges can include the following:

• High Amazon S3 egress costs in specific Regions
• API charges across Regions such as GetMetricData, PutMetricData, and ListMetrics
• Charges in Regions where you don't have active resources

Resolution

Identify cost drivers in Cost Explorer

Complete the following steps:

1. Open the AWS Cost Explorer console.
2. Apply the Service = "CloudWatch" filter.
3. Set the time range to the last 3 months to identify trends.
4. Filter results by Usage type to identify specific charge categories such as S3 egress, API calls, and log ingestion.
   For S3 egress, choose the usage type for your Region. For example, choose USE1-S3-Egress-Bytes for the US East (N.Virginia) Region.
   For API calls, filter by the usage type that corresponds to the API call you want to investigate. For example, CW:GMD-Metrics corresponds to GetMetricData API calls, and CW:Requests corresponds to other CloudWatch API calls such as ListMetrics.
5. Filter results by Region to identify Regions that generate the most costs.
6. Filter results by API operation to identify API calls that have the highest costs.

Identify and analyze top API callers

Prerequisite: Confirm that you turned on data events for CloudWatch in your AWS CloudTrail trail. If you haven't turned on data events, then edit your trail. For instructions, see Updating a trial with the CloudTrail console.

To identify your AWS Identity and Access Management (IAM) roles or AWS services that make the most API calls across Regions, use Amazon Athena to query your CloudTrail logs. CloudTrail stores API activity logs as JSON files in Amazon S3. Athena lets you run SQL queries directly against the log files stored in your Amazon S3 bucket, so that you don't have to download or manually parse the raw JSON files.

To query your CloudTrail logs, complete the following steps:

1. Create an Athena table for your CloudTrail logs.
2. Open the Athena console.
3. Choose Query Editor.
4. Run the following SQL query to return the top 100 CloudWatch API callers, grouped by API name, IAM user, source IP address, and Region:

SELECT

COUNT(*) as call_count,

eventname as api,

useridentity.username as iam_user,

sourceipaddress as remote_ip,

awsregion as region

FROM cloudtrail_logs

WHERE eventtime >= '2024-01-01T00:00:00Z'

AND eventtime <= '2024-12-31T23:59:59Z'

GROUP BY

eventname,

useridentity.username,

Sourceipaddress,

awsregion

ORDER BY call_count DESC

LIMIT 100;

Reduce API call volume

To reduce API costs, batch PutMetricData API calls instead of sending individual calls. A single PutMetricData call can include up to 1,000 metrics and 150 data points.

Third-party monitoring tools often send repeated API requests to CloudWatch across all Regions by default. To reduce costs and control access to third-party monitoring tools, take the following actions:

• Review IAM policies for integrations such as Datadog, Splunk, and NewRelic.
• Restrict access to only the necessary Regions with the aws:RequestedRegion condition key in IAM policies.
• Configure monitoring tools to send API requests to specific Regions rather than all Regions.
• Use CloudWatch metric streams as a cost-effective, push-based alternative to frequent API polling.

Reduce log delivery costs to S3

To reduce outbound data transfer costs from S3, review how S3 delivers and stores your logs. On your AWS bill, the costs appear under S3-Egress-Bytes.

If you don't actively use CloudWatch Vended logs for analysis, then turn off S3 server access logging to stop log delivery to S3. Then, empty the bucket.

Use log filtering to reduce the volume of data that S3 receives before delivery.

To avoid cross-Region transfer charges, deliver logs to a bucket that's in the same Region as your source. Also, review your log retention settings to confirm that you don't store duplicate logs across multiple destinations, such as both CloudWatch Logs and S3.

Set up billing alarms

Complete the following steps:

1. Open the AWS Billing and Cost Management console.

2. In the navigation pane, choose Billing preferences, and then turn on Receive billing alerts.

3. Create a CloudWatch billing alarm.

   Note: When you create the alarm, set Dimension to ServiceName = CloudWatch to monitor CloudWatch charges specifically.

4. Create a budget specifically for CloudWatch with alerts at 80%, 100%, and 120% thresholds.

Related information

Analyzing, optimizing, and reducing CloudWatch costs

How do I reduce and prevent CloudWatch charges?