AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking your user activity and API usage. With CloudTrail, you can record two types of events: Management events capturing control plane actions such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets, and data events capturing high volume data plane actions such as reading or writing an Amazon S3 object.

Free Tier

Get started with AWS CloudTrail for free, with the AWS Free Tier.

Log and search events with Event History
AWS CloudTrail logs management events across AWS services by default. You can view, search, and download the most recent 90-day history of your account’s management events for free using CloudTrail in the AWS console or the AWS CLI Lookup API.
 
Deliver events by creating trails
Deliver one copy of your ongoing management events to Amazon S3 for free by creating trails. This lets you store S3 events for the past 90 days.

Pay only for what you use. There is no minimum fee.

Use trails to deliver additional copies of events and data events
You can create trails for a single AWS account, or for multiple AWS accounts using AWS Organizations. See pricing in the table below.

Note: If the management account has an organization trail delivering management events, the same events delivered with trails created in member accounts are charged as additional copies.
 
Identify unusual activity in your account
AWS CloudTrail Insights analyzes write management event API calls in your AWS account and detects unusual activity such as spikes in resource provisioning or gaps in periodic activity. See pricing in the table below.

Integrate with other AWS services

Trails deliver events to you in the Amazon S3 bucket that you choose and can also deliver events to Amazon CloudWatch Logs. Additionally, you can specify an Amazon Simple Notification Service (Amazon SNS) topic to receive notification of deliveries and encrypt the delivered logs using AWS Key Management Service (KMS). Standard rates for Amazon S3, Amazon CloudWatch Logs, Amazon Simple Notification Service (SNS), and AWS Key Management Service (KMS) apply.

Pricing examples

Example 1 – Delivering management events

Let’s assume you have 300,000,000 management events delivered to Amazon S3 in a month. These events include control plane actions such as creating and deleting a resource, or console log-in activity. Because you can view, search, and download the most recent 90-day history of your account’s management events for free using CloudTrail in the AWS console or the AWS CLI Lookup API, the first copy of your management events is delivered at no cost.

First copy of management events delivered @$0 = 300,000,000 * $0 = $0
Monthly CloudTrail charges = $0

Example 2 – Delivering management and data events

Let’s assume you have 300,000,000 management events and 500,000,000 data events delivered to Amazon S3 in a month. Management events capture control plane actions such as creating or deleting S3 buckets, and data events capture high-volume data plane actions such as reading or writing an Amazon S3 object.

First copy of management events delivered @$0 = 300,000,000 * $0 = $0
Data events @$0.10 per 100,000 events = 500,000,000 / 100,000 * $0.10 = $500
Monthly CloudTrail charges = $500

Example 3 – Delivering management and data events plus additional copies

Management events capture control plane actions such as creating or deleting Amazon S3 buckets, and data events capture high-volume data plane actions such as reading or writing an Amazon S3 object. Let’s assume you have the following usage in a month:

300,000,000 management events delivered
500,000,000 data events delivered
6,000,000 management events are copies across organization and account-level trails
100,000,000 data events are copies across organization and account-level trails

First copy of management events delivered @$0 = 300,000,000 * $0 = $0
Data events @$0.10 per 100,000 events = (500,000,000 + 100,000,000 additional copies of data events delivered) / 100,000 * $0.10 = $600
Copies of management events delivered @$2.00 per 100,000 events = 6,000,000 / 100,000 * $2.00 = $120
Monthly CloudTrail charges = $720

Example 4 – Identifying unusual activities with CloudTrail Insights

Management events capture control plane actions such as creating and deleting a resource, or console log-in activity. CloudTrail Insights identifies unusual activity in your AWS account such as spikes in resource provisioning and gaps in periodic maintenance activity. You can enable CloudTrail Insights across your AWS organization or individual AWS accounts in your CloudTrail trails. Let’s assume you have the following usage in a month:

300,000,000 management events delivered to S3
20,000,000 write management events analyzed by CloudTrail Insights

Cost of CloudTrail trails:
First copy of management events delivered @$0 = 300,000,000 * $0 = $0
Monthly CloudTrail trails charges = $0

Cost of CloudTrail Insights:
CloudTrail Insights events analyzed @$0.35 per 100,000 events = 20,000,000 / 100,000 * $0.35 = $70
Monthly CloudTrail Insights charges = $70
Total monthly CloudTrail charges = $70

Additional pricing resources

Managing CloudTrail Costs: Best practices to manage CloudTrail costs
AWS Cost Anomaly Detection: Mitigate unexpected AWS costs

Learn how to get started with AWS CloudTrail

Visit the getting started page
Ready to build?
Get started with AWS CloudTrail
Have more questions?
Contact us