AWS Cloud Financial Management

Launch: Controlling AWS CloudTrail Costs Using AWS KMS Event Filtering

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

AWS CloudTrail now lets you filter AWS KMS events out of trails that deliver management events. This new feature can help you control costs when you are logging your AWS management events using multiple trails.

This post walks through a sample CloudTrail trail configuration. Using this process, you can ensure that you are capturing all management events and are optimizing your costs when you create additional trails.

Overview

As a best practice, AWS recommends that you enable both AWS KMS encryption and create a CloudTrail trail. However, accounts with AWS KMS encryption enabled often see very high volumes of AWS KMS events in CloudTrail. Because AWS KMS events are treated as management events, the high volume of AWS KMS events can have a substantial impact on your CloudTrail bill – especially if you have more than one trail capturing management events.

With KMS Event Filtering, you can enable AWS KMS events on one trail, and filter them out from subsequent trails. In this scenario, CloudTrail treats all delivered AWS KMS events as free, because there is only one delivery of those events. For more information about CloudTrail’s pricing, see AWS CloudTrail Pricing.

Example: Creating Your First Trail

In this step, we create the first trail in your account to capture all management events, including KMS events. Events delivered to this trail are free, because the first copy of management events within each region is delivered free of charge.

To do this, your settings should look like the screen below. Notice that Log AWS KMS Events is set to Yes, and that Apply trails to all regions is also set to Yes. The first setting ensures that this trail captures all AWS KMS events, and the second setting is a best practice that we strongly recommend for all CloudTrail customers to ensure that you capture API activity from every region for complete coverage.

AWS CloudTrail Events

 

Creating Your Second Trail

If you need to capture management events in subsequent trails, you can help reduce your CloudTrail costs by choosing not to log AWS KMS events in those trails. Your first trail has a copy of these events, and ensures that you have complete coverage for auditing purposes.

Creating your second trail

Viewing Your Trail Configuration

To review your trail configuration, navigate to the Trails page in CloudTrail. Your settings should resemble the screen below.

Viewing your Trail Configuration

Validating Your Configuration

If your account is already using AWS KMS, you can inspect the S3 bucket that contains the trail’s logs to verify that your first trail contains KMS events and to ensure that additional trails do not contain KMS events.

In this example, I have connected each of my trails to AWS CloudWatch Logs (see below), so that I can search quickly through the delivered events. Alternatively, you can download the actual Gzipped log files from S3, unzip them, and manually search through them.

Validating your CloudTrail configuration

Next, I opened the AWS KMS console, created a key, and enabled that key. The act of enabling the key (see below) drives a call to the AWS KMS API which creates a CloudTrail event. Within several minutes, the event will be available in CloudWatch logs.

AWS Key Management Service

In the next screen, notice that I am using AWS CloudWatch logs to search the log group I created to capture logs from the AllManagementEvents trail.  You can see that I’ve received six AWS KMS events.

Key Management Events

Now, I’ll switch to the log group for the trail that does not capture AWS KMS events, which is called CustomTrail. Running the same query shows no results, demonstrating that the event stream is working as expected.

Validate trail configuration

 

Conclusion

In this post, I have demonstrated how to optimize your AWS CloudTrail configurations to help you control costs while maintaining complete log coverage. Don’t forget that you can always track your CloudTrail costs in Cost Explorer using the Service filtering dimension. Learn more about Cost Explorer here!

TAGS: , , , ,
Keith Robertson

Keith Robertson

Keith Robertson is an engineering manager with the AWS CloudTrail team. While he currently resides in Seattle, he is a proud Southerner at heart. He is passionate about open water swimming, even completing Seattle's Park to Park Swim (which benefits the Emergency Patient Assistance Fund at the Seattle Children's Hospital). Seattle Children's Hospital).