back arrow
Go back
Duplicate or Overlapping AWS CloudTrail Trails
Matt Walls
Service Category
Other
Cloud Provider
AWS
Service Name
AWS CloudTrail
Inefficiency Type
Redundant Configuration
Explanation

AWS CloudTrail enables event logging across AWS services, but when multiple trails are configured to log overlapping events — especially data events — it can result in redundant charges and unnecessary storage or ingestion costs. This commonly occurs in decentralized environments where teams create trails independently, unaware of existing coverage or shared logging destinations.Each trail that records data events contributes to billing on a per-event basis, even if the same activity is logged by multiple trails. Additional costs may also arise from delivering duplicate logs to separate S3 buckets or CloudWatch Log groups. While separate trails may be justified for audit, compliance, or operational segmentation, unintentional duplication increases both cost and operational complexity without added value.

Relevant Billing Model

CloudTrail billing is driven by:

  • Management events: One free copy to S3 per region per account
  • Data events: Charged per event recorded (e.g., object-level access, function invokes)
  • CloudTrail Insights: Charged per analyzed event
  • Multiple trails: Additional trails that log the same events or deliver to additional destinations (e.g., CloudWatch Logs) incur cumulative charges

Costs scale with both the volume of logged activity and the number of trails capturing it.

Detection
  • List all CloudTrail trails in the account and examine their configurations
  • Identify overlapping event types (e.g., same data events logged by multiple trails)
  • Review whether multiple trails are logging the same resource activity
  • Check whether each trail’s delivery destination (S3, CloudWatch Logs) is unique and necessary
  • Evaluate whether each trail serves a distinct purpose or is redundant with existing logging
Remediation
  • Delete or disable redundant trails that provide no unique audit or compliance value
  • Consolidate overlapping trails into a single unified configuration where feasible
  • Use centralized log destinations (e.g., one S3 bucket) to reduce storage and ingestion cost
  • Document trail ownership and logging strategy across teams to avoid future duplication
Relevant Documentation

"

Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences