Back to Blog

Lowering AWS CloudTrail Costs by Removing Redundant Trails

Redundant trails can inflate how much your organization has to spend for AWS CloudTrail. In this post, we'll show you how to find and remove unneeded trails.

aws-logo

The AWS CloudTrail service allows developers to enable policies managing compliance, governance, and auditing of their AWS account. In addition, AWS CloudTrail offers logging, monitoring, and storage of any activity around actions related to your AWS structures. The service activates from the moment you set up your AWS account and while it provides real-time activity visibility, it also means higher AWS costs. 

To keep costs from rising faster than you need to, you can start cleaning up by finding and eliminating redundant trails.

How Redundant Trails Impact Your AWS Account

When you have multiple trails recording the same management events in an AWS region, your CloudTrail expenses will increase. Avoid spending more money than you need to by looking at your settings to ensure that CloudTrail isn’t logging unnecessary copies of management events.

The first management event for each account is free. After that, any additional trails created that offer the same functionality to other destinations result in new CloudTrail charges. Sometimes this is preferable if you want to allow different groups to receive individual copies of log files.

Finding Redundant Trails in AWS

The following applies if you have multiple single region trails setup within your AWS account:

  1. To get a listing of all tracked Amazon CloudTrail trails, run this command:
aws cloudtrail describe-trails
  1. Look at the command output to find the configuration information for every selected region.
  2. If you see the attribute IncludeGlobalServiceEvents set to true, you’re also recording global events for a specific region.
  3. Change your region by issuing a ”--region” command parameter, then repeat steps 1 and 2 to see if you have more than one regional trail keeping up with global service events.

If you find multiple duplications, you can adjust your account through the AWS CLI.

  1. Run the “aws cloudtrail update-trail” command along with the name of the Amazon CloudTrail to configure the associated region, and the parameters to adjust. 
aws cloudtrail update-trail --region us-west-2 --name cc-test-trail
  1. To turn off the global service events tracking issue, use the command:
--no-include-global-service-events
  1. To turn off multi-region tracking, issue the command:
--no-is-multi-region-trail

You should see the changes reflected in the metadata output. Repeat the steps for each region you wish to adjust.

Going Further to Reduce Logs Volume to CloudTrail

You can also take steps to limit the number of events that get logged to your trail. These are a couple high-volume exclusions you can set up to mitigate costs:

  1. Go to the “Create trail” or “Update trail” page from your management dashboard.
  2. Select “Exclude AWS KMS events” to filter out AWS Key Management Service (KMS) events.
  3. Select “Exclude Amazon RDS Data API Events” to filter out any Amazon Data API events.

Please note that you can only filter out events if you set up your trail to log management events.

Streamline CloudTrail Tracking with Blink

If you are running AWS CloudTrails in multiple regions, then running these checks and updates on a regular basis might seem impractical or inefficient.

When you create a free Blink account, you can schedule these resource checks to run automatically using pre-built automations.

Get started and create your free Blink account today.

Simplify your cloud operations

Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign up