Why did my CloudTrail cost and usage increase unexpectedly?

Last updated: 2022-01-19

I'm seeing an unexpected increase in cost for AWS CloudTrail in my AWS account. How do I determine what's causing the cost increase?

Short description

Unexpected CloudTrail cost increases usually occur when multiple trails in the same AWS Region record the same management events. To prevent CloudTrail from logging duplicate management events, verify that your trails' Read and Write events settings are configured correctly. For more information, see Trail configuration.

To identify duplicate management event records, you can use the AWS Billing and Cost Management console or Amazon Athena queries.

To remove duplicate management event records, you can use the CloudTrail console or the AWS Command Line Interface (AWS CLI).

To monitor your estimated and ongoing CloudTrail charges, you can use the following:

Note: You can deliver one copy of your ongoing management events to Amazon Simple Storage Service (Amazon S3) for free by creating trails. Additional copies of management events incur a charge. For more information, see AWS CloudTrail pricing. To keep copies of your CloudTrail logs in multiple Amazon S3 buckets, you can manually move the data between buckets to reduce cost. For instructions, see How can I copy all objects from one Amazon S3 bucket to another bucket?

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

To identify duplicate CloudTrail management event records using the AWS Billing and Cost Management console

  1. Open the AWS Billing and Cost Management console. Then, choose Bills.
  2. Choose the Bill details by service tab.
  3. In AWS Services Charges, expand CloudTrail.
  4. Expand the AWS Region to view the event cost record details. Then, review the PaidEventsRecorded metric to identify duplicate management event records.

Note: The PaidEventsRecorded metric provides the total count and cost for all additional copies of management events recorded in a specific Region. The DataEventsRecorded metric provides the total count and cost for data events activated on trails in that Region. If the Region has no trails with data events activated, then the DataEventsRecorded metric doesn't appear.

To identify duplicate CloudTrail management event records using Athena queries

Note: To run Athena queries on CloudTrail logs, you must have a trail created and configured to send logs to an S3 bucket. For more information, see Creating a trail.

You can use Athena to view CloudTrail management events (and data events) stored in your Amazon S3 bucket.

For instructions, see How do I automatically create tables in Athena to search through CloudTrail logs? Also, Creating the table for CloudTrail logs in Athena using manual partitioning.

To remove duplicate CloudTrail management events from you AWS account

To remove duplicate management events using the CloudTrail console, follow the instructions in Updating a trail.

To remove duplicate management events using the AWS CLI, follow the instructions in Using update-trail.