AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking your user activity and API usage. With CloudTrail, you can record two types of events: management events capturing control plane actions such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets, and data events capturing high volume data plane actions such as reading or writing an Amazon S3 object. You pay only for what you use of the paid features listed below. There are no minimum fees or upfront commitments. Features that are provided at no additional charge are also listed below.

AWS Free Tier

As part of the AWS Free Tier, you can get started with some of AWS CloudTrail features for free. Limits may apply.

Event history

AWS CloudTrail logs management events across AWS services by default and is available for free.

You can view, search, and download the most recent 90-day history of your account’s control plane activity for free using CloudTrail in the AWS console or the AWS CLI Lookup API.

CloudTrail Lake

AWS CloudTrail Lake is designed to be a fully managed solution for capturing, storing, accessing, and analyzing user and API activity on AWS. It is a managed data lake for audit and security information, enabling you to aggregate, immutably store your activity logs (control plane and data plane) for up to 7 years, and query logs within seconds for search and analysis. IT auditors can use CloudTrail Lake as an immutable record of all activities to meet audit requirements. Security administrators can ensure user activity is in accordance with internal policies, and DevOps engineers can troubleshoot operational issues such as an unresponsive EC2 instance or a resource being denied access.

With CloudTrail Lake, you are charged for the volume of data that you ingest, the volume of data you scan for analysis, and data storage, if you choose to store it for longer than 7 years.

Free trial

New customers can try CloudTrail Lake for 30 days at no additional cost*. You will have access to the full feature set during this time.

* Limited to 5GB of ingestion and 5GB data scanned. Data storage included at no charge.

Pricing

 Details Pricing
Ingest & Store
(price includes 7 years of storage)

First 5TB: $2.5 per GB

Next 20TB: $1 per GB

Over 25TB: $0.5 per GB

Analyze $0.005 per GB of data scanned

Trails

AWS CloudTrail Trails enables customers to capture their account activity and deliver them to their own S3 buckets for storage.

Customers can use their own third-party or other solutions for searching and analyzing logs captured by CloudTrail. Customers can create trails for a single AWS account, or for multiple AWS accounts using AWS Organizations. See pricing in the table below.

 
Note: If the management account has an organization trail delivering management events, the same events delivered with trails created in member accounts are charged as additional copies.
 
Identify unusual activity in your account
AWS CloudTrail Insights analyzes write management event API calls in your AWS account and detects unusual activity such as spikes in resource provisioning or gaps in periodic activity.

Free

You can deliver one copy of your ongoing management events to Amazon S3 for free by creating trails. This lets you store events in S3 for the past 90 days.

Pay only for what you use. There is no minimum fee.

Deliver additional copies of management events and data events by using trails
You can deliver additional copies of events, including data events, using trails. See pricing in the table below.

Note: If the management account has an organization trail delivering management events, the same events delivered with trails created in member accounts are charged as additional copies.

Pricing

Integrate with other AWS services

Trails deliver events to you in the Amazon S3 bucket that you choose and can optionally deliver events to Amazon CloudWatch Logs. You can also specify an Amazon SNS topic to get notified of deliveries and encrypt the delivered logs using AWS Key Management Service (KMS). Standard rates for Amazon S3, Amazon CloudWatch Logs, Amazon Simple Notification Service (SNS), and AWS Key Management Service (KMS) apply.

Pricing examples

Example 1: Recording and analyzing events using CloudTrail Lake

Let’s assume you have 10GB of events (2GB of control plane activity and 8GB of data plane activity) ingested to CloudTrail Lake in a given month in your account. Assume you designed your queries to scan this data twice in that month.

Monthly Ingestion & Storage charges: 10 GB @ $2.5 per GB = $25
Monthly Data Scanned: 10GB scanned two times @ 0.005 per GB = $0.1
Monthly CloudTrail Lake charges: $25+ $0.1 = $25.1

Example 2: Recording and analyzing events using CloudTrail Lake

Let’s assume you have 50TB of events (20TB of control plane activity and 30TB of data plane activity) ingested to CloudTrail Lake in a given month in your account. Assume you designed your queries to scan this data twice in that month.

Monthly Ingestion & Storage charges = $46,080

First 5TB @ $2.5 per GB = $12,800
Next 20 TB @ $1 per GB = $20,480
Next 25 TB @ $0.5 per GB = $12,800

Monthly Data Scanned
50TB scanned two times @0.005 per GB = $512

Monthly CloudTrail Lake charges = $46,080+ $512 = $46,592

Example 3: Delivering management events via Trails

Let’s assume you have 3B management events delivered to S3 in a given month.

First copy of management events delivered @$0 = 3,000,000,000, * $0 = $0
Monthly CloudTrail charges = $0

You pay for storage and analysis separately.

Example 4: Delivering management and data events plus additional copies via Trails

Let’s assume you have the following usage in a given month:

5B management events delivered
10B data events delivered
2.5B management events are copies across organization and account-level trails
5B data events are copies across organization and account-level trails

First copy of management events delivered @$0 = 3B * $0 = $0
Data events @$0.10 per 100,000 events = (10B + 5B additional copies of data events delivered) / 100,000 * $0.10 = $15,000
Copies of management events delivered @$2.00 per 100,000 events = 2.5B / 100,000 * $2.00 = $50,000
Monthly CloudTrail charges = $65,000

You pay for storage and analysis separately.

Example 5: Identifying unusual activities with CloudTrail Insights

Let’s assume you have the following usage in a given month:

300,000,000 management events delivered to S3
20,000,000 write management events analyzed by CloudTrail Insights

Cost of CloudTrail trails:
First copy of management events delivered @$0 = 300,000,000 * $0 = $0
Monthly CloudTrail trails charges = $0

Cost of CloudTrail Insights:
CloudTrail Insights events analyzed @$0.35 per 100,000 events = 20,000,000 / 100,000 * $0.35 = $70
Monthly CloudTrail Insights charges = $70
Total monthly CloudTrail charges = $70

Additional pricing resources

Managing CloudTrail Costs: Best practices to manage CloudTrail costs
AWS Cost Anomaly Detection: Mitigate unexpected AWS costs

Learn how to get started with AWS CloudTrail

Visit the getting started page
Ready to build?
Get started with AWS CloudTrail
Have more questions?
Contact us