Are management events really free?

For the first copy. CloudTrail provides the first copy of management events (control-plane API calls — CreateBucket, RunInstances, AttachRolePolicy, etc.) free on every account. Additional trails capturing the same management events bill $2.00 per 100K events. The free first copy is enough for most security and compliance use cases — point your single trail at an S3 bucket and you have the audit log. The bill starts when teams create multiple trails (per-account, per-region, per-OU) capturing the same events redundantly.

Why are data events so expensive?

Data events ($0.10 per 100K) capture data-plane operations: every S3 GetObject and PutObject, every Lambda Invoke, every DynamoDB GetItem and PutItem. On a busy S3 bucket processing 100M GETs per month, enabling data events adds $100/month for that single bucket. Across an organization with many high-volume buckets and busy Lambda functions, fleet-wide data events can easily land at $5,000–$50,000/month. Enable data events selectively — only on buckets and functions where compliance or forensic requirements mandate it. The default state should be off.

What is CloudTrail Lake and when should I use it?

CloudTrail Lake is a managed data lake for CloudTrail events with built-in SQL query capability. Ingestion is $2.50/GB (an order of magnitude more expensive than just storing CloudTrail logs in S3 at $0.023/GB), and storage past the included 7-year retention is $0.10/GB-month. Queries are $0.005/GB scanned. Lake is worth the premium when you need ad-hoc SQL queries across CloudTrail data without setting up Athena, or when retention requirements exceed what S3 lifecycle would conveniently provide. For most teams, CloudTrail to S3 + Athena is dramatically cheaper for the same query capability.

How does Insights events differ from regular management events?

Insights events ($0.35 per 100K events analyzed) run anomaly detection on your management event stream and emit an event whenever an API call pattern deviates from the baseline (a sudden spike in RunInstances calls, an unusual number of DeleteBucket attempts). They are a managed-detection capability built on top of CloudTrail. The cost is calculated on the management events analyzed, not the Insights events emitted. For an organization with 50M management events/month, Insights adds ~$175/month for the detection layer. Worth it for security-critical accounts; usually overkill for sandbox and dev accounts.

How does multi-region trail pricing compound?

A multi-region trail captures events from every region into a single S3 bucket. The management events from the home region remain in the free first-copy tier; events from additional regions are duplicate copies and bill $2.00/100K per region beyond the first. For an organization operating in 5 regions, the management event cost is roughly 4× the free baseline. Most security and compliance use cases need only one trail per account; configure it as multi-region but be aware of the per-region duplication on the additional regions.

Should I use organization trails or per-account trails?

Organization trails configured at the AWS Organizations level capture events from every account in the org into a single S3 bucket. The pricing is the same as per-account trails — the first copy of management events from each account is free, additional trails bill the per-event rate. Organization trails are operationally simpler (one place to configure, one place to receive events) and avoid per-account drift. They are the right pattern for any organization above ~5 accounts. The bill differs only in the data-events line: enabling data events at the org-trail level applies to every account in the org, which can multiply data-event costs significantly if not scoped via event selectors.

What is the cheapest way to query CloudTrail logs?

CloudTrail to S3 + Athena. CloudTrail writes events to S3 in compressed JSON; Athena queries those files at the standard $5/TB scanned. For occasional security investigations, an Athena query against a partitioned CloudTrail bucket costs cents per query — dramatically cheaper than CloudTrail Lake or any third-party SIEM ingestion. The setup cost is one-time (create Glue Catalog table, set up partition projection for the eventName/eventTime partitions); the per-query cost is small. Use Lake only when the SQL convenience or the integrated retention/event-history features justify the order-of-magnitude price premium.

AWS CloudTrail Pricing: Management, Data, Insights, Lake

AWS CloudTrail has one of the cleanest pricing models on AWS — management events are free for the first copy, data events are $0.10 per hundred thousand, Insights events are $0.35 per hundred thousand. The bill nevertheless surprises teams routinely. The reason: data events bill on data-plane operations, which on a busy S3 bucket means every GetObject call, and on a busy Lambda function means every invocation. Enable data events broadly and the bill climbs into four or five figures fast.

This post is the bill story. For the operational angle — setting up multi-region trails, log file validation, the Lake architecture — see our CloudTrail production setup guide.

The Five CloudTrail Billing Dimensions

CloudTrail pricing breakdown — us-east-1, June 2026

Prices in us-east-1

Management events are essentially free. Data events, additional trails, and Lake ingestion are the lines that surprise.

Dimension	Unit price	Example workload	Monthly cost
Management events — first trail Covers control-plane API calls	Free	Default audit trail per account	$0.00
Management events — additional trails Per-account, per-region duplications	$2.00 / 100K events	5M events / month on a 2nd trail	$100
Data events Per data-plane API call; enable selectively	$0.10 / 100K events	100M S3 GETs on one bucket / month	$100
Insights events Analyzes the management event stream	$0.35 / 100K analyzed	50M management events / month	$175
CloudTrail Lake ingestion Includes 7-year retention	$2.50 / GB ingested	100 GB events / month	$250
CloudTrail Lake storage (after 7 years) Same rate as EventBridge archive	$0.10 / GB-month	Long-term retention beyond 7y	Variable
CloudTrail Lake queries Lower than Athena per query	$0.005 / GB scanned	1 TB scanned across queries	$5
S3 destination storage Use lifecycle to IA/Glacier for old logs	Standard S3 rates	500 GB CloudTrail logs in S3	~$12 (Standard)

Management events — first trail

$0.00

Covers control-plane API calls

Unit price: Free
Example workload: Default audit trail per account

Management events — additional trails

$100

Per-account, per-region duplications

Unit price: $2.00 / 100K events
Example workload: 5M events / month on a 2nd trail

Data events

$100

Per data-plane API call; enable selectively

Unit price: $0.10 / 100K events
Example workload: 100M S3 GETs on one bucket / month

Insights events

$175

Analyzes the management event stream

Unit price: $0.35 / 100K analyzed
Example workload: 50M management events / month

CloudTrail Lake ingestion

$250

Includes 7-year retention

Unit price: $2.50 / GB ingested
Example workload: 100 GB events / month

CloudTrail Lake storage (after 7 years)

Variable

Same rate as EventBridge archive

Unit price: $0.10 / GB-month
Example workload: Long-term retention beyond 7y

CloudTrail Lake queries

Lower than Athena per query

Unit price: $0.005 / GB scanned
Example workload: 1 TB scanned across queries

S3 destination storage

~$12 (Standard)

Use lifecycle to IA/Glacier for old logs

Unit price: Standard S3 rates
Example workload: 500 GB CloudTrail logs in S3

The most economical CloudTrail setup: one organization trail, management events only, S3 destination with lifecycle to Glacier, Athena for ad-hoc queries.

The Data Events Trap

Data events are where most CloudTrail bills get out of control. The per-100K rate looks small ($0.10) until you remember that “data events” means every single S3 object operation and every single Lambda invocation. On a high-volume S3 bucket, this multiplies fast.

Data events on three common workload sizes

Prices in us-east-1

The bill scales with the underlying data-plane volume. Most workloads do not need data events on every bucket and every function.

Dimension	Unit price	Example workload	Monthly cost
Mid-traffic S3 bucket (1M GETs/day) Reasonable for compliance-tracked buckets	$0.10 / 100K	30M / month	$30/mo
Static asset CDN origin bucket (100M GETs/day) Almost never justified; CloudFront logs do this job	Same rate	3B / month	$3,000/mo
High-traffic Lambda function (10M invokes/day) Per function; multiplies across function fleet	Same rate	300M / month	$300/mo
DynamoDB hot table (100M GetItem/day) DynamoDB Streams + CloudWatch are usually enough	Same rate	3B / month	$3,000/mo

Mid-traffic S3 bucket (1M GETs/day)

$30/mo

Reasonable for compliance-tracked buckets

Unit price: $0.10 / 100K
Example workload: 30M / month

Static asset CDN origin bucket (100M GETs/day)

$3,000/mo

Almost never justified; CloudFront logs do this job

Unit price: Same rate
Example workload: 3B / month

High-traffic Lambda function (10M invokes/day)

$300/mo

Per function; multiplies across function fleet

Unit price: Same rate
Example workload: 300M / month

DynamoDB hot table (100M GetItem/day)

$3,000/mo

DynamoDB Streams + CloudWatch are usually enough

Unit price: Same rate
Example workload: 3B / month

Enable data events with explicit event selectors targeting only the buckets and functions that need compliance-grade audit trails.

CloudTrail Lake vs S3 + Athena

CloudTrail Lake is the AWS-managed query layer for CloudTrail events. It bills $2.50/GB ingested (versus $0.023/GB for the same data in S3 Standard), then includes 7 years of retention. Queries are $0.005/GB scanned.

The math against the S3+Athena alternative:

CloudTrail Lake vs S3 + Athena — 100 GB events/month, 12 queries scanning 50 GB each

Prices in us-east-1

The Lake premium is operational convenience and integrated retention. The actual capability is comparable to S3+Athena.

Dimension	Unit price	Example workload	Monthly cost
CloudTrail Lake — ingest Includes 7-year storage	$2.50 / GB	100 GB / month	$250
CloudTrail Lake — queries Cheap once data is in Lake	$0.005 / GB scanned	600 GB scanned	$3
CloudTrail to S3 Cheaper still with lifecycle to IA/Glacier	S3 Standard $0.023/GB	100 GB / month, 12-month retention	~$28
Athena queries on S3 CloudTrail Same query economics; needs Glue catalog setup	$5 / TB scanned	600 GB scanned	$3
Total — Lake Operationally simpler	Ingestion-dominated	Same workload	$253
Total — S3 + Athena 88% cheaper for the same capability	Storage + query	Same workload	~$31

CloudTrail Lake — ingest

$250

Includes 7-year storage

Unit price: $2.50 / GB
Example workload: 100 GB / month

CloudTrail Lake — queries

Cheap once data is in Lake

Unit price: $0.005 / GB scanned
Example workload: 600 GB scanned

CloudTrail to S3

~$28

Cheaper still with lifecycle to IA/Glacier

Unit price: S3 Standard $0.023/GB
Example workload: 100 GB / month, 12-month retention

Athena queries on S3 CloudTrail

Same query economics; needs Glue catalog setup

Unit price: $5 / TB scanned
Example workload: 600 GB scanned

Total — Lake

$253

Operationally simpler

Unit price: Ingestion-dominated
Example workload: Same workload

Total — S3 + Athena

~$31

88% cheaper for the same capability

Unit price: Storage + query
Example workload: Same workload

Use Lake when the operational simplicity is worth the premium. Use S3+Athena when bill matters and you can absorb the one-time Glue catalog setup.

Multi-Region and Organization Trails

CloudTrail’s “first trail free” applies per-account, not per-region. A multi-region trail captures events from every region — the home region remains free, additional regions bill $2.00/100K for the management event duplicates.

Organization trails (configured at the AWS Organizations level) capture events from every account in the organization into a single S3 bucket. This is the right pattern for any org with more than a handful of accounts: one configuration point, one destination, simpler IAM. The per-account first-copy free tier still applies — the first management-event copy from each member account is free.

The bill increase from organization trails is on the data-events side: if data events are enabled at the org-trail level, they apply to every account. Scope carefully with explicit event selectors.

When to Enable Each CloudTrail Feature

Management events always; data events selectively; Insights for security-critical accounts; Lake when SQL convenience justifies the premium.

Use when

Management events on every account — first copy is free; the audit trail is non-negotiable
Organization trail for orgs with 5+ accounts — single config point, single destination
Data events on compliance-tracked S3 buckets (PII, PHI, financial records, audit logs)
Data events on Lambda functions handling regulated data flows
Insights events on production and security accounts where anomaly detection matters operationally
CloudTrail Lake when you need ad-hoc SQL queries without the Athena setup overhead and 7-year retention fits the use case

Avoid when

Data events on CDN-origin S3 buckets — CloudFront logs already capture access; CloudTrail data events are redundant and expensive
Data events on high-traffic non-compliance Lambda functions — CloudWatch Logs provide enough operational visibility
Multiple trails capturing the same management events — first copy is free; additional copies bill
Insights events on dev and sandbox accounts — anomaly detection is operationally noise in these contexts
CloudTrail Lake for cost-sensitive long-term retention — S3 + lifecycle is dramatically cheaper for the same data

The default state for data events on a new account should be off, enabled only with explicit per-resource selectors for the specific buckets and functions that need audit-grade tracking.

A 30-Day CloudTrail Bill Cleanup Plan

Week 1 — Audit trails per account. Run aws cloudtrail describe-trails per account; identify trails capturing duplicate management events. Consolidate to a single organization trail where the org structure supports it.

Week 2 — Audit data events scope. For each trail with data events enabled, examine event selectors. Replace wildcards with explicit resource ARNs. Disable data events on buckets and functions that do not have explicit compliance requirements.

Week 3 — Evaluate Lake vs S3+Athena. For trails currently writing to Lake, evaluate the query frequency and complexity. If queries are infrequent (under 10/month) and the operational simplicity is not load-bearing, migrate to S3+Athena. If queries are frequent and SQL convenience matters, the Lake premium is justified — but verify it explicitly.

Week 4 — Insights scope. Confirm Insights is enabled only on production and security accounts. Disable on dev/sandbox accounts where the detection noise doesn’t justify the per-100K analysis charge.

What This Post Doesn’t Cover

CloudTrail event integrations with EventBridge — aws.cloudtrail event source on the default bus is free; covered in the EventBridge pricing post.
GuardDuty / Security Hub consumption of CloudTrail — those services bill independently; covered in their own pricing posts.
Third-party SIEM ingestion of CloudTrail logs — pricing depends on the SIEM provider; outside the AWS bill itself.
Long-term retention compliance specifics (HIPAA, PCI, SOX retention requirements) — covered in our compliance content.

If You Only Do One Thing This Week

Audit data event event selectors across every trail in your organization. Run aws cloudtrail get-event-selectors --trail-name <name> per trail; for each trail with data events enabled, check the resource ARNs. Replace any wildcards (arn:aws:s3:::*/* or arn:aws:lambda:*:*:function:*) with explicit resource ARNs scoped to specific compliance-tracked resources. On accounts with high-traffic CDN-origin buckets, this single change can cut the CloudTrail bill by 80%+ without weakening security on the resources that actually need data-event tracking.

For the operational architecture — multi-region trails, log file validation, the Lake setup — the CloudTrail production setup guide covers the design side.

AWS CloudTrail Pricing: Why Data Events Cost 100× More Than Management Events

The Five CloudTrail Billing Dimensions