Why did my CloudTrail cost and usage increase unexpectedly?

Last updated: 2019-10-23

I want to understand why my account had an unexpected increase in costs for the AWS CloudTrail service.  

Short Description

CloudTrail records management events history for the last 90 days by default free of charge with the first copy per Region. Additional copies of management events are charged. Your CloudTrail service costs can increase unexpectedly if you have duplicate management events. You can use the AWS Management Console, Amazon Athena queries, and Amazon CloudWatch billing alarms to help you manage cost and find duplicate management events.

Resolution

Search for and remove duplicate management events, run Athena queries to track cost, and set up CloudWatch billing alarms.

Identify and remove duplicate CloudTrail management events by Region

If you create multiple trails in the same Region, you can have duplicate management events. For example, you create your first trail named ExampleTrail1 with management events Read/Write events set to All. CloudTrail logs all management events for ExampleTrail1 for free. Then, you create another trail named ExampleTrail2 in the same Region, and set events Read/Write events to Read-only. Duplicate management read events are delivered by CloudTrail on the S3 bucket configured for ExampleTrail2, because ExampleTrail1 already delivered all events. However, if ExampleTrail1 management events Read/Write events is set to Read-only, and ExampleTrail2 management events Read/Write events is set to Write-only, then no duplicate events occur.

  1. Open the AWS Billing and Cost Management console, and then choose Bills.
  2. Choose the Bill details by service tab.
  3. In AWS Services Charges, expand CloudTrail.
  4. Expand the Region to view the event cost record details.

DataEventsRecorded - The total events count and costs for data events enabled on trails in that Region. If you have all S3 and Lambda resources selected, these costs can be high because data events are often high-volume activities. If you see unexpected charges, you can update the S3 and AWS Lambda resources for data events enabled in that Region.
Note: If the Region has no trails with data events enabled, then this section doesn't appear.

FreeEventsRecorded - The total count and costs for the first copy of Management events enabled on trails in that Region. The charges on this section are always $0.00.

PaidEventsRecorded - The total count and costs for additional event copies after the first free copy of management events enabled on trails in that Region. The costs are due to duplicate events delivered on multiple trails. You can move data from one S3 bucket to another to reduce costs. For instructions, see How can I copy objects between Amazon S3 buckets?

To remove duplicate management events using the AWS Management Console, follow the instructions for Updating a Trail.

To remove duplicate management events using the AWS Command Line Interface (AWS CLI), see Using update-trail.

For more information about pricing, see AWS CloudTrail pricing.

Run Athena queries

You can use Athena to run queries to identify CloudTrail monthly cost increases. For more information, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

Note: You must have a trail enabled to log to an S3 bucket.

Setup AWS Billing Alarms

You can monitor your estimated AWS charges using CloudWatch to create a billing alarm. The billing alarm triggers if your account billing exceeds the threshold you specify. For instructions, see Creating a Billing Alarm to Monitor Your Estimated AWS Charges.