add proposal for CT

aws/proposals/cloudtrail/README.md

@@ -0,0 +1,89 @@
+# CloudTrail Configuration Modification
+
+We've had some people notice larger than expected CloudTrail costs.  Upon further investigation, we found this because of multiple
+trails created in many accounts.
+
+Our original baseline included a local CloudTrail `inf-cloudtrail-{account_id}-{region}`, with a backing S3 bucket.  We did not have AWS Organizations
+enabled.  It also included an object logging trail, `inf-cloudtrail-objectlog-{account_id}-{region}` with a backing S3 bucket. This captured only Data events,
+for which there is a lot.
+
+However, we did enable Organizations, and along with that, we enabled an Organization CloudTrail `inf-org-cloudtrail` with a backing S3 bucket.  This org cloudtrail
+sends SNS to SQS which is picked up by Sentinel. It is the only trail we really need.  We also added data events to it, so it captures a complete footprint of
+the CloudTrail.
+
+Our cost for CloudTrail for 2025 was $211.2K, an average of over $17.6K per month, with the highest cost coming in November 2025 of $22.6K.
+We have some accounts with a default cloudtrail (created by the prior reseller, not in our IaC), and then with our local cloudtrail.  We may have 2-3x the
+capture from a single stream of trail data.  Plus, the double of the data events.  We should be able to at least halve the CloudTrail costs by stripping this
+down to the minimum.
+
+As such, we asked AI about what this means, if we can reduce cost, and if we lose any functionality. The answer is, yes, this costs most and we lose nothing, really.
+
+What we plan to do:
+
+1. Remove all the non-org cloudtrails from every account and region (other than the one disconnected from our organization, used for the OpenData project).
+1. Remove the cloudtrail setup from the baseline (objectlogging is already removed from the baseline).
+1. Remove the objectlog cloudtrail configuration from each account and region.
+1. Remove the redundant local account cloudtrail configuration from each account and region.
+1. Remove the associated S3 buckets for these cloudtrails (as they are copied into the org trail, and Sentinel is maintaining that).
+
+To further help keep costs down, we will be adding a lifecycle rule to the Organization CloudTrail bucket, moving data after 30 days to IA, after 90 days to Glacier,
+and then deleting from Glacier after 18 months.
+
+## Prompt
+
+> I have a large AWS environment.  My cloudtrail costs are quite high. In each account and region I have a cloudtrail defined.  
+It captures management events.  I also have an organization-defined cloudtrail, which captures data and management events in a central account.
+If I were to remove the local account/region cloudtrail, would I still be able to examine cloudtrail events in the console of the account?
+
+## Response
+
+Yes, you would still be able to examine events in the local account's console, but with a few important caveats regarding what you can see and for how long.
+
+In AWS, there is a distinction between **Event History** (the console view) and **Trails** (the logging configuration). Here is how removing your local trails would affect your visibility:
+
+### 1. You still have "Event History" (90-Day Lookback)
+
+Even if you delete every trail in an account, the CloudTrail **Event History** page remains active.
+
+* **Availability:** It is enabled by default in every AWS account at no charge.
+* **Retention:** You can view, search, and download the last **90 days** of management events.
+* **Scope:** This view is region-specific. To see events in `us-east-1`, you must be in the `us-east-1` console.
+
+### 2. You lose "Data Event" visibility in the local console
+
+Your organization trail captures both management and data events (like S3 object-level actions or Lambda executions). However:
+
+* **Data events never show up in the "Event History" console.** They are only ever visible in the destination S3 bucket or via CloudTrail Lake.
+* By deleting the local trail, local users will no longer have a way to "see" data events through the CloudTrail console interface unless they have access to the central S3 bucket or are using CloudTrail Lake.
+
+### 3. Impact on Cost and Redundancy
+
+Since CloudTrail charges you for **additional** copies of management events, your current setup is indeed redundant.
+
+* **The first copy** of management events in each region is free.
+* **The second copy** (your organization trail) is charged at **$2.00 per 100,000 events**.
+
+By removing the local trails, you will stop paying for those "first copies" in each account, but because your organization trail is *also* capturing those same events, that organization trail becomes the "paid" copy for the management events it receives.
+
+### Comparison of Visibility Options
+
+| Feature | Event History (Console) | Organization Trail (S3/Central) |
+| --- | --- | --- |
+| **Management Events** | Yes (Last 90 days) | Yes (Forever/S3 retention) |
+| **Data Events** | No | Yes |
+| **Cost** | Free | Paid ($2.00 / 100k events) |
+| **Location** | Local to each Account | Centralized in Log Account |
+| **Cross-Region** | No (must switch regions) | Yes (consolidated in S3) |
+
+### Recommendation
+
+To optimize costs while maintaining local visibility:
+
+1. **Delete the local trails.** This simplifies your environment and removes local management overhead.
+2. **Rely on Event History** for quick 90-day troubleshooting in the local console.
+3. **Grant limited access** to the central Log Account's S3 bucket or use **Athena** for users who need to investigate older management events or any data events.
+
+# CHANGELOG
+
+* 1.0.0 -- 2025-12-30
+  - initial