# Viewing your CloudTrail cost and usage with AWS Cost Explorer Viewing CloudTrail cost and usage This section describes how you can view your CloudTrail costs and usage using [AWS Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html). Cost Explorer gives you the ability to visualize, understand, and manage your AWS costs and usage over time. For details about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). **To view CloudTrail cost and usage with Cost Explorer** 1. Sign in to the AWS Management Console and open the Cost Explorer console at [https://console.aws.amazon.com/cost-management/home\$1/custom](https://console.aws.amazon.com/cost-management/home#/custom). 1. Under **Time**, choose the date range you want to analyze. 1. Under **Group by**, for **Dimension**, choose **Usage type**. 1. Under **Filters**, for **Service**, choose **CloudTrail**. The following image shows an example of a cost report filtered for CloudTrail and grouped by **Usage type**. ![\[The Cost Explorer report grouped by Usage type and filtered for the CloudTrail service\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cost-explorer-cloudtrail-usage.png) Review the **Usage type** to see which CloudTrail features generated the most cost. Each **Usage type** begins with the code for the AWS Region where the charge was incurred. The following table describes the CloudTrail usage types for each CloudTrail feature. | CloudTrail feature | Usage type | Description | | --- | --- | --- | | CloudTrail trails | `region-FreeEventsRecorded` | The first copy of management events delivered free of charge to an AWS Region. | | CloudTrail trails | `region-PaidEventsRecorded` | The charge for additional copies of management events delivered to an AWS Region. | | CloudTrail trails | `region-DataEventsRecorded` | The charge for delivery of data events to an AWS Region. Data events always incur charges. | | CloudTrail trails | `region-NetworkEventsRecorded` | The charge for delivery of network activity events to an AWS Region. Network activity events always incur charges. | | CloudTrail Lake | `region-Ingestion-Bytes` | The charge for ingesting events into a CloudTrail Lake event data store using the **Seven-year retention pricing** option. Ingestion pricing is based on the volume of data ingested and is the same for all event types. | | CloudTrail Lake | `region-Ingestion-Bytes-1yearstore-Live-CloudTrail-Logs` | The charge for ingesting CloudTrail data events, network activity events, and management events into a CloudTrail Lake event data store using the **One-year extendable retention pricing** option. | | CloudTrail Lake | `region-Ingestion-Bytes-1yearstore-Other-data-sources` | The charge for ingesting other event sources into a CloudTrail Lake event data store using the **One-year extendable retention pricing** option. This includes CloudTrail Insights events, configuration items from AWS Config, evidence from AWS Audit Manager, (uncompressed) historical CloudTrail logs imported from S3, and events outside of AWS. | | CloudTrail Lake | `region-QueryScanned-Bytes` | The charge for running CloudTrail Lake queries. When you run queries in CloudTrail Lake, you incur charges based on the amount of optimized and compressed data scanned. | | CloudTrail Insights | `region-InsightsEvents` | The charge for CloudTrail Insights events. For Insights events, you incur charges based on the number of management events analyzed per Insight type. For more information, see [Costs for Insights events](insights-events-costs.md). | # Using AWS Budgets to manage costs AWS Budgets a feature of AWS Billing and Cost Management, allows you to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Creating a budget for CloudTrail by using AWS Budgets is a recommended best practice, and can help you track your CloudTrail spending. Cost-based budgets help promote awareness of how much you might be billed for your CloudTrail use. [Budget alerts](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-best-practices.html#budgets-best-practices-alerts) notify you when your bill reaches a threshold that you define. When you receive a budget alert, you can make changes before the end of the billing cycle to manage your costs. **Note** Though you can apply tags to CloudTrail trails, AWS Billing cannot currently use tags applied to trails for cost allocation. Cost Explorer can show costs for CloudTrail Lake event data stores and for the CloudTrail service as a whole. To get started with AWS Budgets, open [AWS Billing and Cost Management](https://console.aws.amazon.com/billing), and then choose **Budgets** in the left navigation bar. We recommend configuring budget alerts as you create a budget to track CloudTrail spending. For more information about how to use AWS Budgets, see [Managing your costs with AWS Budgets](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html) and [Best practices for AWS Budgets](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-best-practices.html). ## Creating user-defined cost allocation tags for CloudTrail Lake event data stores You can create [user-defined cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.html) to track the query and ingestion costs for your CloudTrail Lake event data stores. A *user-defined cost allocation tag* is a key-value pair that you can associate with an event data store. After you activate cost allocation tags, AWS uses the tags to organize your resource costs on your cost allocation report. + To create tags in the console, see step 9 of the [To create an event data store for CloudTrail events](query-event-data-store-cloudtrail.md#query-event-data-store-cloudtrail-procedure) procedure. + To create tags using the CloudTrail API, see [CreateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateEventDataStore.html) and [AddTags](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AddTags.html) in the *AWS CloudTrail API Reference*. + To create tags using the AWS CLI, see [create-event-data-store](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html) and [add-tags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/add-tags.html) in the *AWS CLI Command Reference*. For more information about activating tags, see [Activating user-defined cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html). # Managing CloudTrail trail costs You can configure and manage CloudTrail trails in ways that capture the data you need while remaining cost-effective. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). ## Trail configuration CloudTrail offers flexibility in how you configure trails in your account. Some decisions that you make during the setup process require that you understand the impacts to your CloudTrail bill. The following are examples of how trail configurations can influence your CloudTrail bill. **Multiple trail creation** The first copy of management events within each region is delivered free of charge. For example, if your account has 2 single-Region trails, a trail in `us-east-1` and another trail in `us-west-2`, there are no CloudTrail charges because there is only one trail logging events in each respective Region. However, if your account has a multi-Region trail and an additional single-Region trail, the single-Region trail will incur charges because the multi-Region trail is already logging events in each Region. If you create more trails that deliver the same management events to other destinations, those subsequent deliveries incur CloudTrail costs. You can do this to allow different user groups (such as developers, security personnel, and IT auditors) to receive their own copies of log files. For data events, all deliveries incur CloudTrail costs, including the first. As you create more trails, it is especially important to be familiar with your logs, and understand the types and volumes of events that are generated by resources in your account. This helps you anticipate the volume of events that are associated with an account, and plan for trail costs. For example, using AWS KMS-managed server-side encryption (SSE-KMS) on your S3 buckets can result in a large number of AWS KMS management events in CloudTrail. Larger volumes of events across multiple trails can also influence costs. To help limit the number of events that are logged to your trail, you can filter out AWS KMS or Amazon RDS Data API events by choosing **Exclude AWS KMS events** or **Exclude Amazon RDS Data API events** on the **Create trail** or **Update trail** pages. When using basic event selectors, you can only filter management events. However, you can use advanced event selectors to filter both management and data events. You can use advanced event selectors to include or exclude data events, giving you the ability to log only the data events of interest. For more information, see [Filtering data events by using advanced event selectors](filtering-data-events.md). You can use advanced event selectors to include or exclude network activity events based on the `eventName`, `resources.type`, `resources.ARN` , `errorCode`, and `vpcEndpointId` fields, giving you the ability to log only the data events of interest. For more information, see [Logging network activity events](logging-network-events-with-cloudtrail.md). For more information about creating and updating a trail, see [Creating a trail with the CloudTrail console](cloudtrail-create-a-trail-using-the-console-first-time.md) or [Updating a trail with the CloudTrail console](cloudtrail-update-a-trail-console.md) in this guide. **AWS Organizations** When you set up an Organizations trail with CloudTrail, CloudTrail replicates the trail to each member account within your organization. The new trail is created *in addition to* any existing trails in member accounts. Be sure that the configuration of your organization trail matches how you want trails configured for all accounts within an organization, because the organization trail configuration propagates to all accounts. Because Organizations creates a trail in each member account, an individual member account that creates an additional trail to collect the same management events as the Organizations trail is collecting a second copy of events. The account is charged for the second copy. Similarly, if an account has a multi-Region trail, and creates a second trail in a single Region to collect the same management events as the multi-Region trail, the trail in the single Region is delivering a second copy of events. The second copy incurs charges. ## See also + [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/) + [Managing your costs with AWS Budgets](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html) + [Getting started with Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-getting-started.html) + [Prepare for creating a trail for your organization](creating-an-organizational-trail-prepare.md) # Managing CloudTrail Lake costs AWS CloudTrail Lake event data stores and queries incur charges. You can configure event data stores in ways that capture the data you need while remaining cost-effective. For information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). **Topics** + [ ## Event data store pricing options ](#cloudtrail-lake-manage-costs-pricing-option) + [ ## Understanding CloudTrail Lake charges ](#cloudtrail-lake-charges) + [ ## Recommendations for how you can reduce costs ](#cloudtrail-lake-manage-costs-recommendations) + [ ## See also ](#w2aab9c23c13) ## Event data store pricing options When you create an event data store, you choose the pricing option that you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention periods for the event data store. The following table describes the available pricing options. The table shows the **Pricing option** in the console and the corresponding `BillingMode` value for the API, and lists the default and maximum retention period for each option. | Pricing option (console) | BillingMode (API) | Description | | --- | --- | --- | | **One-year extendable retention pricing** | `EXTENDABLE_RETENTION_PRICING` | Recommended if you expect to ingest less than 25 TB of event data per month and want a flexible retention period of up to 10 years. This option is also recommended if your event data store collects AWS Config configuration items, Audit Manager evidence, and events from outside of AWS. For the first 366 days (the default retention period), storage is included at no additional cost with ingestion pricing. After 366 days, extended retention is available at pay-as-you-go pricing. This is the default option. **Default retention period:** 366 days **Maximum retention period:** 3,653 days | | **Seven-year retention pricing** | `FIXED_RETENTION_PRICING` | Recommended if expect to ingest more than 25 TB of event data per month and need a retention period of up to 7 years. Retention is included with ingestion pricing at no additional charge. **Default retention period:** 2,557 days **Maximum retention period:** 2,557 days | ## Understanding CloudTrail Lake charges The following tables provides information about how CloudTrail Lake event data stores and queries incur charges. For information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). | Charge type | How you incur charges | | --- | --- | | Data ingestion (uncompressed data) | For CloudTrail Lake, you pay based on the uncompressed data ingested. The [pricing option](#cloudtrail-lake-manage-costs-pricing-option) for the event data store determines the cost of ingesting events: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html) **Copying trail events** When you [copy trail events](cloudtrail-copy-trail-to-lake-eds.md) to CloudTrail Lake, CloudTrail unzips the logs that are stored in gzip (compressed) format. Then CloudTrail copies the events contained in the logs to your event data store. The size of the uncompressed data could be greater than the actual Amazon S3 storage size. To get a general estimate of the size of the uncompressed data, multiply the size of the logs in the S3 bucket by 10. CloudTrail will not copy an event if its event time is older than the specified retention period. To determine the appropriate retention period, take the sum of the oldest event you want to copy in days and the number of days you want to retain the events in the event data store as demonstrated in this equation: **Retention period** = *oldest-event-in-days* \$1 *number-days-to-retain* For example, if the oldest event you're copying is 45 days old and you want to keep the events in the event data store for a further 45 days, you would set the retention period to 90 days. | | Data retention (optimized and compressed data) | CloudTrail Lake converts existing events in row-based JSON format to [ Apache ORC](https://orc.apache.org/) format. ORC is a columnar storage format that is optimized for fast retrieval of compressed data. An event data store’s *retention period* determines how long event data is kept in the event data store. CloudTrail Lake determines whether to retain an event by checking if an event's event time is within the specified retention period. For example, if you specify a retention period of 90 days, CloudTrail will remove events when their event time is older than 90 days. For event data stores using the **Seven-year retention pricing** option, storage is included with ingestion pricing at no additional charge. For event data stores using the **One-year extendable retention pricing** option, storage is included at no charge with ingestion pricing for the first 366 days (the default retention period). After 366 days, storage is offered at pay-as-you-pricing and is charged based on the optimized and compressed data in the event data store. | | Running queries in CloudTrail Lake (optimized and compressed data) | When you run queries in CloudTrail Lake, you pay based on the amount of optimized and compressed data scanned. | ## Recommendations for how you can reduce costs This section provides recommendations for how you can reduce costs when working with CloudTrail Lake. **Choose a pricing option based on the type of events your event data store will collect and your expected monthly ingestion** When creating an event data store, choose a pricing option based on the type of events your event data store will collect and your expected monthly ingestion. If you expect to ingest less than 25 TB of event data on a monthly basis and want a flexible retention period of up to 10 years, choose the **One-year extendable retention pricing** option. We also generally recommend this option for event data stores that collect AWS Config configuration items, Audit Manager evidence, and events from outside of AWS. If you expect to ingest more than 25 TB of event data on a monthly basis and need a 7-year retention period, choose the **Seven-year retention pricing** option. **Evaluate your event data store's monthly ingestion over time** Evaluate the historical monthly ingestion of your event data store to see if there's a pricing option better suited to your needs. If you have an existing event data store that uses the **Seven-year retention pricing** option and you ingest less than 25 TB of data on a monthly basis, consider updating the event data store to use **One-year extendable retention pricing**. For event data stores using the **Seven-year retention pricing** option, you can change the pricing option using the [CloudTrail console](query-event-data-store-update.md), [AWS CLI](lake-cli-update-eds.md#lake-cli-update-billing-mode), or [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateEventDataStore.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateEventDataStore.html) API operation. If you have an existing event data store that uses the **One-year extendable retention pricing** option and you ingest more than 25 TB of event data on a monthly basis, consider whether **Seven-year retention pricing** would better suit your needs. To use the new pricing option, [stop ingestion](query-eds-stop-ingestion.md) on your event data store and create a new event data store with the **Seven-year retention pricing** option. **Use advanced event selectors to filter out events that aren't of interest** When configuring an event data store for CloudTrail management events, data events, or network activity events, you can filter out events that aren't of interest by using advanced event selectors. You can filter management events on the following advanced event selector fields: `eventName`, `eventSource`, `eventType`, `readOnly`, `sessionCredentialFromConsole`, and `userIdentity.arn`. You can filter data events on the following advanced event selector fields: `eventName`, `eventSource`, `eventType`, `resources.type`, `resources.ARN`, `readOnly`, `sessionCredentialFromConsole`, and `userIdentity.arn`. For more information, see [Filtering data events by using advanced event selectors](filtering-data-events.md). You can filter network activity events on the following advanced event selector fields: `eventName`, `errorCode`, and `vpcEndpointId`. For more information, see [Logging network activity events](logging-network-events-with-cloudtrail.md). **Choose a narrower time range when copying trail events** When copying trail events to CloudTrail Lake, specify a narrower start event time and end event time to reduce the amount of data ingested. If you are copying trail events to CloudTrail Lake for historical analysis and do not want to ingest future events, deselect the option to ingest events so that you do not incur charges on ingesting any additional events. **Format queries to use a starting and ending `eventTime`** When you run queries in Lake, you pay based upon the amount of data scanned. You can constrain costs by specifying a starting and ending `eventTime` for the query. ## See also + [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/) + [Supported CloudWatch metrics](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-cloudwatch-metrics.html) + [Managing your costs with AWS Budgets](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-managing-costs.html) + [Getting started with Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-getting-started.html)