Excessive CloudTrail Charges from Bulk S3 Deletes

Liam Greenamyre

Service Category

Storage

Cloud Provider

AWS

Service Name

AWS S3

Inefficiency Type

Misconfigured Logging

Explanation

When large numbers of objects are deleted from S3—such as during cleanup or lifecycle transitions—CloudTrail can log every individual delete operation if data event logging is enabled. This is especially costly when deleting millions of objects from buckets configured with CloudTrail data event logging at the object level. The resulting volume of logs can cause a significant, unexpected spike in CloudTrail charges, sometimes exceeding the cost of the underlying S3 operations themselves. This inefficiency often occurs when teams initiate bulk deletions for cleanup or cost savings without realizing that CloudTrail logs every API call, including `DeleteObject`, if data event logging is active for the bucket.

Relevant Billing Model

CloudTrail charges based on the volume of management and data events captured. S3 data events—especially object-level delete operations—can generate significant logging volume if not scoped or disabled appropriately.

Detection

Review whether CloudTrail data event logging is enabled for S3 buckets targeted for bulk deletes
Check for a high volume of `DeleteObject` or `DeleteObjects` events in CloudTrail logs
Validate if logging configuration is necessary for objects being deleted (e.g., legacy or non-sensitive data)

Remediation

Temporarily disable S3 data event logging** before initiating bulk deletes where logging is unnecessary
Scope CloudTrail data event logging** to only include relevant prefixes or buckets requiring detailed auditability

Relevant Documentation

https://aws.amazon.com/cloudtrail/pricing/
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-objects.html

Submit Feedback