AWSAWS CloudTrailObservability

`aws_cloudtrail` cost estimation

An audit log of AWS API calls. Management events are free. Data events and Insights are billed per event.

An aws_cloudtrail tracks API calls in your AWS account. There's no per-trail fee, but data events and the optional Insights feature add cost.

Pricing components:

Management events (control-plane API calls like CreateBucket, RunInstances, etc.): the first copy is free per region. Subsequent trails capturing the same events cost $2.00 per 100,000 events. Most accounts have one management-event trail per region for free.

Data events (data-plane operations like S3 GetObject, Lambda Invoke, DynamoDB PutItem): not free. $0.10 per 100,000 events. Volume can be massive: an S3 bucket with high read traffic generates millions of GetObject events per day, costing hundreds per month in CloudTrail data events alone.

Insights events (anomaly detection): $0.35 per 100,000 management events analyzed. Right for compliance environments needing automated anomaly detection.

CloudTrail Lake (separate from trails): ingestion at $2.50/GB, retention at $0.10/GB-month. Right for long-term analysis of audit logs.

S3 storage for trail logs: standard S3 pricing. Default is the AWS-created bucket; you can specify your own. Logs accumulate fast for high-traffic accounts; lifecycle policies are important.

c3x estimates CloudTrail based on declared trails. Data event volume is usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_cloudtrail" "main" {
  name                          = "production-trail"
  s3_bucket_name                = aws_s3_bucket.cloudtrail.id
  include_global_service_events = true
  is_multi_region_trail         = true
  enable_log_file_validation    = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::sensitive-data-bucket/"]
    }
  }
}

Pricing dimensions

What you actually pay for when you provision aws_cloudtrail.

Dimension	Unit	What's being charged
Management events (1st copy)	free	First trail capturing management events in each region is free. The vast majority of accounts have one such trail. $0
Management events (additional trails)	per 100,000 events	Subsequent trails capturing the same events. $2.00/100,000 events
Data events	per 100,000 events	S3 object-level, Lambda invocations, DynamoDB operations, etc. Volume can be very high. $0.10/100,000 events
Insights events	per 100,000 events analyzed	Anomaly detection on management events. $0.35/100,000 events
CloudTrail Lake ingestion	per GB	Separate from trails. Long-term analytical store. $2.50/GB
S3 storage of log files	per GB-month	Trail logs land in S3. Standard S3 storage pricing.

Optimization tips

Common ways to reduce aws_cloudtrail cost without changing the workload.

Limit data events to high-value buckets

Significant for S3-heavy workloads

Don't enable data events for all S3 buckets. Restrict to buckets with sensitive data, regulated workloads, or specific compliance requirements. Each event is $0.10/100K but counts can be enormous.

Skip Insights unless you need anomaly detection

$0.35/100K events

Insights is $0.35 per 100K events analyzed. For accounts with millions of daily management events, that's real money. Most teams find Insights' anomaly signals too noisy without tuning.

Use one multi-region trail instead of per-region trails

Per-event fees on duplicate trails

A multi-region trail captures events across all regions for free (as the first management-event trail). Avoid having multiple trails for the same events.

Lifecycle log files to Glacier

Storage cost over time

CloudTrail logs in S3 don't need to live in Standard storage after a few weeks. Lifecycle to S3 Glacier or Deep Archive cuts long-term storage by 80-95%.

Disable global service events for non-global trails

Per-event fees on duplicates

Setting include_global_service_events = false on region-specific trails avoids duplicate event capture for services like IAM and CloudFront. Only the multi-region trail needs them.

FAQ

Is CloudTrail really free?

The default management events trail is free. Data events and additional trails are not. Most accounts pay nothing for basic audit logging unless they enable data events on high-volume S3 buckets.

Should I enable data events for S3?

For sensitive or regulated data, yes. For general application data, no. Data events at $0.10/100K can cost more than the S3 storage itself for high-traffic buckets. Be selective.

How does c3x estimate CloudTrail data events?

Add expected monthly_data_events to c3x-usage.yml on the cloudtrail resource. Without that, c3x reports management events as $0 (first trail free) and flags data events as usage-dependent.

What about CloudTrail Lake?

CloudTrail Lake is a separate aws_cloudtrail_event_data_store resource with ingestion + storage pricing. Right for long-term forensic or compliance analysis. c3x estimates it independently.

Related resources

AWS

aws_s3_bucket

Destination bucket for trail logs

AWS

aws_cloudwatch_log_group

Optional CloudWatch integration for trail logs

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_cloudtrail.

Get Started Star on GitHub

← Browse all AWS resources