Submit feedback on
Suboptimal Log Class Configuration in CloudWatch
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Suboptimal Log Class Configuration in CloudWatch
Kyler Rupe
Service Category
Other
Cloud Provider
AWS
Service Name
AWS CloudWatch
Inefficiency Type
Misconfiguration
Explanation

By default, CloudWatch Log Groups use the Standard log class, which applies higher rates for both ingestion and storage. AWS also offers an Infrequent Access (IA) log class designed for logs that are rarely queried — such as audit trails, debugging output, or compliance records. Many teams assume storage is the dominant cost driver in CloudWatch, but in high-volume environments, ingestion costs can account for the majority of spend. When logs that are infrequently accessed are ingested into the Standard class, it leads to unnecessary costs without impacting observability. The IA log class offers significantly reduced rates for ingestion and storage, making it a better fit for logs used primarily for post-incident review, compliance retention, or ad hoc forensic analysis.

Relevant Billing Model

CloudWatch Logs are billed based on: * Ingestion volume per GB * Storage per GB-month * Querying via Logs Insights (optional) By default, Log Groups are set to the **Standard** log class. However, AWS offers an **Infrequent Access** (IA) log class with significantly lower ingestion and storage rates. This class is ideal for logs accessed occasionally, such as security audits, application debugging, or forensic analysis. Because the log class must be set at creation, many environments default to Standard even when IA would be more cost-effective.

Detection
  • Identify all log groups currently using the Standard log class
  • For each, assess whether logs are actively queried or primarily retained for infrequent access
  • Review ingestion volumes relative to query frequency to surface high-ingest, low-access patterns
  • Evaluate log retention periods — long-retained logs with low query activity are strong candidates
  • Analyze whether ingestion charges account for a significant portion of CloudWatch costs
  • Flag logs used for compliance, audit, or post-incident forensics that could be routed to Infrequent Access
Remediation
  • Create new log groups using the **Infrequent Access** class for applicable use cases
  • Update application and service configurations to route logs to the new log groups
  • Use subscription filters or log routing to separate high-access logs (Standard) from infrequent logs (IA)
  • Apply tagging or naming conventions to distinguish log groups by access frequency or retention intent
  • Periodically audit log group configurations and adjust routing based on evolving usage patterns
Relevant Documentation

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogsLogClass.html
https://aws.amazon.com/cloudwatch/pricing/\#Logs

Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences