From 70e0eac6c7fd43c1d723b6f9e5b78a55ab2bd2ea Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 30 Dec 2025 12:04:10 -0500 Subject: [PATCH] add proposal for CT --- aws/proposals/cloudtrail/README.md | 89 ++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 aws/proposals/cloudtrail/README.md diff --git a/aws/proposals/cloudtrail/README.md b/aws/proposals/cloudtrail/README.md new file mode 100644 index 00000000..b35ae900 --- /dev/null +++ b/aws/proposals/cloudtrail/README.md @@ -0,0 +1,89 @@ +# CloudTrail Configuration Modification + +We've had some people notice larger than expected CloudTrail costs. Upon further investigation, we found this because of multiple +trails created in many accounts. + +Our original baseline included a local CloudTrail `inf-cloudtrail-{account_id}-{region}`, with a backing S3 bucket. We did not have AWS Organizations +enabled. It also included an object logging trail, `inf-cloudtrail-objectlog-{account_id}-{region}` with a backing S3 bucket. This captured only Data events, +for which there is a lot. + +However, we did enable Organizations, and along with that, we enabled an Organization CloudTrail `inf-org-cloudtrail` with a backing S3 bucket. This org cloudtrail +sends SNS to SQS which is picked up by Sentinel. It is the only trail we really need. We also added data events to it, so it captures a complete footprint of +the CloudTrail. + +Our cost for CloudTrail for 2025 was $211.2K, an average of over $17.6K per month, with the highest cost coming in November 2025 of $22.6K. +We have some accounts with a default cloudtrail (created by the prior reseller, not in our IaC), and then with our local cloudtrail. We may have 2-3x the +capture from a single stream of trail data. Plus, the double of the data events. We should be able to at least halve the CloudTrail costs by stripping this +down to the minimum. + +As such, we asked AI about what this means, if we can reduce cost, and if we lose any functionality. The answer is, yes, this costs most and we lose nothing, really. + +What we plan to do: + +1. Remove all the non-org cloudtrails from every account and region (other than the one disconnected from our organization, used for the OpenData project). +1. Remove the cloudtrail setup from the baseline (objectlogging is already removed from the baseline). +1. Remove the objectlog cloudtrail configuration from each account and region. +1. Remove the redundant local account cloudtrail configuration from each account and region. +1. Remove the associated S3 buckets for these cloudtrails (as they are copied into the org trail, and Sentinel is maintaining that). + +To further help keep costs down, we will be adding a lifecycle rule to the Organization CloudTrail bucket, moving data after 30 days to IA, after 90 days to Glacier, +and then deleting from Glacier after 18 months. + +## Prompt + +> I have a large AWS environment. My cloudtrail costs are quite high. In each account and region I have a cloudtrail defined. +It captures management events. I also have an organization-defined cloudtrail, which captures data and management events in a central account. +If I were to remove the local account/region cloudtrail, would I still be able to examine cloudtrail events in the console of the account? + +## Response + +Yes, you would still be able to examine events in the local account's console, but with a few important caveats regarding what you can see and for how long. + +In AWS, there is a distinction between **Event History** (the console view) and **Trails** (the logging configuration). Here is how removing your local trails would affect your visibility: + +### 1. You still have "Event History" (90-Day Lookback) + +Even if you delete every trail in an account, the CloudTrail **Event History** page remains active. + +* **Availability:** It is enabled by default in every AWS account at no charge. +* **Retention:** You can view, search, and download the last **90 days** of management events. +* **Scope:** This view is region-specific. To see events in `us-east-1`, you must be in the `us-east-1` console. + +### 2. You lose "Data Event" visibility in the local console + +Your organization trail captures both management and data events (like S3 object-level actions or Lambda executions). However: + +* **Data events never show up in the "Event History" console.** They are only ever visible in the destination S3 bucket or via CloudTrail Lake. +* By deleting the local trail, local users will no longer have a way to "see" data events through the CloudTrail console interface unless they have access to the central S3 bucket or are using CloudTrail Lake. + +### 3. Impact on Cost and Redundancy + +Since CloudTrail charges you for **additional** copies of management events, your current setup is indeed redundant. + +* **The first copy** of management events in each region is free. +* **The second copy** (your organization trail) is charged at **$2.00 per 100,000 events**. + +By removing the local trails, you will stop paying for those "first copies" in each account, but because your organization trail is *also* capturing those same events, that organization trail becomes the "paid" copy for the management events it receives. + +### Comparison of Visibility Options + +| Feature | Event History (Console) | Organization Trail (S3/Central) | +| --- | --- | --- | +| **Management Events** | Yes (Last 90 days) | Yes (Forever/S3 retention) | +| **Data Events** | No | Yes | +| **Cost** | Free | Paid ($2.00 / 100k events) | +| **Location** | Local to each Account | Centralized in Log Account | +| **Cross-Region** | No (must switch regions) | Yes (consolidated in S3) | + +### Recommendation + +To optimize costs while maintaining local visibility: + +1. **Delete the local trails.** This simplifies your environment and removes local management overhead. +2. **Rely on Event History** for quick 90-day troubleshooting in the local console. +3. **Grant limited access** to the central Log Account's S3 bucket or use **Athena** for users who need to investigate older management events or any data events. + +# CHANGELOG + +* 1.0.0 -- 2025-12-30 + - initial