Skip to content

CloudTrail Duplicate Trails

When multiple CloudTrail trails log the same management events, it results in duplicate storage costs, redundant log processing, and unnecessary CloudWatch Logs ingestion.

Implementation Effort: Low - Estimated time: less than 30 minutes. Delete duplicate trails after confirming the primary trail covers all required events.

What We Detect

  • Duplicate trails -- Multiple trails logging overlapping management events, leading to redundant storage and processing costs

Why It Matters

Duplicate trails double your S3 storage, CloudWatch Logs ingestion, and data processing costs for the same events. In accounts with high API activity, this can add up to significant waste.

Recommendations

  1. Consolidate overlapping trails into a single trail
  2. Use an organization trail for multi-account setups
  3. Regularly audit trail configurations to prevent drift

Keep on chasing 🧡