CloudTrail - Duplicate Trails
AWS Resource Type:
AWS CloudTrail can record three different types of events; management events, data events, and insight events. This opportunity relates only to management events, typically the highest-cost area. AWS allows duplicate trails to be configured, which means the same events are logged in two different trails. This is a waste of money and can be prevented by identifying and then disabling any such duplicate trails.
Criteria for identifying the opportunity:
A trail is marked to be disabled when it is either:
- The exact match of another trail (duplicate), or
- A full subset of another trail.
This ensures that none of the information contained in the disabled trail is lost. It should be noted that overlapping trails are not disabled.
Potential savings (range in % on annual basis):
Approximately 80% of total CloudTrail costs can be saved. This is because logging the first management event is free, so removing the duplicate trails removes almost all the management event costs, which in turn is the bulk of all CloudTrail costs.
What happens when the Fixer is executed?
When a trail is determined to be a duplicate (or subset) of another, the Fixer calls the StopLogging API against the newer (or smaller) trail. This prevents any new events from being logged but does not delete the trail completely.
Is it possible to rollback once CloudFix implements the fixer?
There is no automated rollback, but since the trail is not deleted it is easy to start logging again: login to the AWS Console and click the “Start Logging” button next to the affected trail.
Can CloudFix implement the fix automatically once I accept the recommendation?
Yes, once the recommendation is approved then CloudFix will automatically stop logging.
Does this fix require downtime?
No downtime is required.