Lowering AWS CloudTrail Costs by Removing Redundant Trails

Redundant trails can inflate how much your organization has to spend for AWS CloudTrail. In this post, we'll show you how to find and remove unneeded trails.

Patrick Londa
Author
Apr 28, 2022
 • 
5
 min read
Share this post

The AWS CloudTrail service allows developers to enable policies managing compliance, governance, and auditing of their AWS account. In addition, AWS CloudTrail offers logging, monitoring, and storage of any activity around actions related to your AWS structures. The service activates from the moment you set up your AWS account and while it provides real-time activity visibility, it also means higher AWS costs. 

To keep costs from rising faster than you need to, you can start cleaning up by finding and eliminating redundant trails.

Blink Automation: Find Redundant CloudTrails and Send Report to Slack
AWS + Slack
Try This Automation

How Redundant Trails Impact Your AWS Account

When you have multiple trails recording the same management events in an AWS region, your CloudTrail expenses will increase. Avoid spending more money than you need to by looking at your settings to ensure that CloudTrail isn’t logging unnecessary copies of management events.

The first management event for each account is free. After that, any additional trails created that offer the same functionality to other destinations result in new CloudTrail charges. Sometimes this is preferable if you want to allow different groups to receive individual copies of log files.

Finding Redundant Trails in AWS

The following applies if you have multiple single region trails setup within your AWS account:

  1. To get a listing of all tracked Amazon CloudTrail trails, run this command:
aws cloudtrail describe-trails
  1. Look at the command output to find the configuration information for every selected region.
  2. If you see the attribute IncludeGlobalServiceEvents set to true, you’re also recording global events for a specific region.
  3. Change your region by issuing a ”--region” command parameter, then repeat steps 1 and 2 to see if you have more than one regional trail keeping up with global service events.

If you find multiple duplications, you can adjust your account through the AWS CLI.

  1. Run the “aws cloudtrail update-trail” command along with the name of the Amazon CloudTrail to configure the associated region, and the parameters to adjust. 
aws cloudtrail update-trail --region us-west-2 --name cc-test-trail
  1. To turn off the global service events tracking issue, use the command:
--no-include-global-service-events
  1. To turn off multi-region tracking, issue the command:
--no-is-multi-region-trail

You should see the changes reflected in the metadata output. Repeat the steps for each region you wish to adjust.

Going Further to Reduce Logs Volume to CloudTrail

You can also take steps to limit the number of events that get logged to your trail. These are a couple high-volume exclusions you can set up to mitigate costs:

  1. Go to the “Create trail” or “Update trail” page from your management dashboard.
  2. Select “Exclude AWS KMS events” to filter out AWS Key Management Service (KMS) events.
  3. Select “Exclude Amazon RDS Data API Events” to filter out any Amazon Data API events.

Please note that you can only filter out events if you set up your trail to log management events.

Streamline CloudTrail Tracking with Blink

If you are running AWS CloudTrails in multiple regions, then running these checks and updates on a regular basis might seem impractical or inefficient.

With Blink, you can run this check with an automation like this one:

Blink Automation: AWS Redundant CloudTrail Detection
Blink Automation: AWS Redundant CloudTrail Detection

This automation is available in the Blink library. When it runs, it does the following steps:

  1. Checks for redundant global trails.
  2. Check redundant regional trails.
  3. Sends report of redundant trails in a report via email.

This simple automation is easy to customize. Run it on a schedule or send the report via Slack or Teams.

There are over 5K automations in the Blink library to choose from, or you can build your own to match your unique needs.

Get started with Blink today and see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo