Difficulty
Easy
Description
CloudTrail trails always deliver events to Amazon S3 by default. Enabling the optional CloudWatch Logs delivery in parallel duplicates the cost (ingestion + storage) without adding log content. When CloudWatch Logs is not actively consumed, disabling it eliminates the duplicate cost while keeping the S3 trail intact.
Selection Criteria
CloudTrail trail has CloudWatch Logs delivery enabled (
CloudWatchLogsLogGroupArnis set)The trail is also delivering to S3 (
S3BucketNameis set — should always be true for a valid trail)The CloudWatch log group is not actively consumed by metric filters, subscription filters, or real-time Logs Insights queries used for alerting / compliance
Expected Saving
CloudTrail-to-CloudWatch Logs ingestion is billed at standard CloudWatch Logs rates (~$0.50/GB ingested + $0.03/GB-month storage), which is entirely additional to the S3 trail. Disabling the CloudWatch Logs delivery saves both costs in full.
Example — a trail delivering 50 GB/month of management events to CloudWatch Logs:
Ingestion: 50 GB × $0.50 = $25.00/month
Storage: 50 GB × $0.03 = $1.50/month
Savings: ~$26.50/month per trail (assuming no retention reduction beyond default)
For data-event trails (which can be 10–100× more voluminous), the savings scale linearly and can easily reach hundreds or thousands of dollars per month.
Operational Impact
Downtime: None. The S3 trail continues to deliver every event without interruption. Only the CloudWatch Logs duplicate delivery stops.
Breaking changes: Any CloudWatch metric filter, subscription filter, Logs Insights saved query, or third-party agent reading from the trail's log group will stop receiving new events. The standard alternatives are:
EventBridge (CloudTrail emits API calls to the default event bus) — best for real-time alerting
Athena over S3 — best for ad-hoc investigation
CloudTrail Lake — best for unified querying and longer retention
Recovery: Re-enabling CloudWatch Logs delivery via
cloudtrail:UpdateTrail(settingCloudWatchLogsLogGroupArnandCloudWatchLogsRoleArn) restores ingestion. Events emitted while delivery was disabled are not back-filled, but remain available in S3.⚠️ Warning — Real-time security tooling: If a third-party SIEM is wired through the CloudWatch log group (rather than EventBridge or S3), validate compatibility before disabling. (Note: GuardDuty natively consumes CloudTrail events independently of the CloudWatch Logs delivery and is not affected by this change.)
⚠️ Warning — Compliance frameworks: Disabling CloudWatch Logs delivery on the CloudTrail trail may cause the Security Hub CPSM CIS AWS Benchmark CloudWatch.5 check to fail, as it relies on metric filters and alarms against CloudWatch Logs — if we proceed with S3-only logging, equivalent alarms will need to be recreated using S3-based metrics or an alternative detection mechanism.
⚠️ Warning — Existing log group: Disabling delivery does not delete the log group or its existing data; consider a retention policy if the historical data is no longer needed.
