2

I'm responsible for two AWS accounts where a web service is run in two different environments. I'm now trying to have a look at cutting costs, and I'm a bit confused as to how to make sense of the CloudTrail costs, i.e., break it down into different categories etc, and also if there are some common pitfalls when it comes to high CloudTrail costs.

For example, my company's security department is running some monitoring SW in my accounts - both internal like GuardDuty and external, and I think these tools are responsible for a lot of this cost. I'd like to be able to chart down exactly which of these costs are attributed to tools that I am in no control of (and consequently which I may be able to reduce), and which are due to infrastructure I'm responsible of. Right now, CloudTrail costs are the single highest item, and I think it seems odd that we're paying more for it than what our combined cost is for EC2 + Lambda + DynamoDB + S3.

When looking at the CloudTrail event stream itself, most events don't hold that much information useful for me to understand why this event is sent or to group them in a bar chart by "monitoring tool" vs "normal operation". There's basically an event source and a user name. At a glance, a large portion of events seem to be CreateLogStream and UpdateInstanceInformation, which are likely due to normal operation of some of the services?

If it turns out simple events such as CreateLogStream are costing thousands of dollars, how should I attack this problem? Is it possible to manually disable certain CloudTrail events? Is there a best practice as to what events are important and which are not? I mean, I never use CloudTrails for anything during normal operation, but it feels nice to have them in case something nasty happens.

JHH
  • 8,567
  • 8
  • 47
  • 91

1 Answers1

0

It is unclear to me whether you're asking about the costs to operate the CloudTrail service, or about using CloudTrail to track your operational costs.

If the former, I'd be very surprised if you are running up significant costs for CloudTrail. You get one trail per account for free, and additional trails cost $2.00 per 100,000 events (pricing page). The only way that I can see for that to become a significant cost factor is to have an extremely large number -- as in dozens or hundreds -- of trails per account. Which is unlikely to be the case.

In the latter case, CloudTrail is the wrong tool for the job. Instead, you should use Cost Explorer, which will let you group your costs by multiple factors, including service and usage type.

If you are part of an organization (which it seems you are), and use consolidated billing (in which the organization owner pays all bills), then you'll need to be granted permission to see your cost data.

Parsifal
  • 3,928
  • 5
  • 9
  • I'm asking about the cost of CloudTrail itself - it's our single biggest post. Thing is, it seems we have three trails. One is created centrally by IT, and we're supposed to have one as part of our own CF stack. For some reason we have two. But what confuses me is also the relation between a trail and events. When viewing the events, I would have expected that you'd see your list of trails, then select one in order to view events _for that trail_. Instead, I have three trails but a single list of event history. Each event does not seem associated to a particular trail. – JHH Sep 11 '20 at 14:48
  • I've also use Cost Explorer extensively already, I am fully aware of that (and I'm an admin for my AWS account so I have full rights), but I am unable to pin down why CloudTrail costs so much (and also predict what removing 1 or 2 of our trails would mean in terms of cost - but also what - if any - we'd lose in tracability by doing so). In short, I guess it's clear we don't really know what to use CloudTrail for except to go look there if the s*** hits the fan? :/ – JHH Sep 11 '20 at 14:49
  • @JHH - I'm sorry, but I just can't conceive of a situation in which CloudTrail has become your biggest cost. I recommend updating your question with the breakdown of CloudTrail costs by usage type, as reported by Cost Explorer. That will at least give people enough information to make a recommendation. – Parsifal Sep 14 '20 at 12:08
  • Also, the primary reason to use CloudTrail is to perform forensics on your AWS activity. For example, if you have CloudTrail data events enabled, you can identify whether someone accessed an S3 bucket in an unexpected way (such as accessing an internal-only bucket from an external IP address). – Parsifal Sep 14 '20 at 12:10
  • Yeah, I can't really understand it either, hence this question. I'll try to supply more info. – JHH Sep 22 '20 at 07:22