Overly Permissive VPC Flow Log Filters Sent to CloudWatch Logs

Kevin Talbierz

Service Category

Other

Cloud Provider

AWS

Service Name

AWS CloudWatch

Inefficiency Type

Explanation

VPC Flow Logs configured with the ALL filter and delivered to CloudWatch Logs often result in unnecessarily high log ingestion volumes — especially in high-traffic environments. This setup is rarely required for day-to-day monitoring or security use cases but is commonly enabled by default or for temporary debugging and then left in place. As a result, teams incur excessive CloudWatch charges without realizing the logging configuration is misaligned with actual needs.

Relevant Billing Model

CloudWatch Logs is billed based on:

Ingestion volume (per GB) — charged for each log event ingested

Storage (per GB per month) — ongoing charges for retained logs

Detection

Identify VPC Flow Logs with a destination of CloudWatch Logs
Check whether the log filter is set to ALL
Review total ingestion volumes and associated CloudWatch Logs charges over time
Evaluate whether full traffic logging is necessary or if ACCEPT or REJECT would suffice
Confirm whether logs are used for active monitoring or compliance, or are remnants of prior debugging

Remediation

Update the VPC Flow Log filter to ACCEPT or REJECT where appropriate
Consider redirecting logs to S3 for lower-cost storage if detailed analysis is not required in CloudWatch
Implement periodic audits of logging configurations to catch overly verbose setups
Align logging retention and granularity with actual monitoring and compliance needs

Relevant Documentation

Logging IP traffic using VPC Flow Logs
Amazon CloudWatch Logs pricing

Submit Feedback