Select Language:
If you’re doing an audit involving AWS backups and notice a sudden rise in costs, there are a few steps you can take to manage this without sacrificing security. Here’s a practical way to handle this situation:
When applying backup plans by tagging AWS resources like S3 buckets, DynamoDB tables, or other services, sometimes costs can unexpectedly spike. This often happens because of how AWS manages backups and logging, especially if certain features are turned on.
One common cause is the absence of continuous backups (point-in-time recovery, or PITR) for S3. Without PITR enabled, AWS Backup has to scan the entire bucket each time it creates a snapshot. This results in a large number of API calls, which can increase your costs significantly.
During initial backups, AWS Backup makes multiple API calls such as GetObjectAcl and GetObjectTagging for each object in the bucket. If there are changes and subsequent backups occur, only new or modified objects are scanned, but the cost can still add up. Also, buckets with many delete markers can incur extra charges since these count as objects themselves.
Furthermore, objects stored in certain classes like Glacier Instant Retrieval or Standard-Infrequent Access (S3-IA) require retrieval requests, causing additional costs. If CloudTrail Data Events are enabled for S3, every API call related to backup operations is logged, which can flood your CloudWatch logs and increase expenses.
To address this, review your CloudTrail settings. You can modify your Data Event selectors to exclude automatic, service-initiated backup API activities. Specifically, configuring your CloudTrail to log only manual or user-initiated actions helps cut down on unnecessary log volume and costs.
Here’s how to do it:
1. Adjust your CloudTrail Data Event selectors to exclude AWS Backup search API calls. Use a filter that logs only relevant user activities and excludes routine, automated backups.
2. Similarly, update your S3 Data Events logging to ignore service-initiated events that don’t need to be monitored for security purposes.
These steps significantly reduce the amount of logged API activity, which in turn lessens the load on CloudWatch and CloudTrail, leading to lower costs while maintaining the key security oversight.
It’s advisable to have a specialist review your current setup—making sure the logging modifications are optimized for your security needs without creating unnecessary expenses. Keep in mind, strategic logging is about balancing security and costs. Adjusting log settings as described helps keep you secure and saves you money.
If you follow this approach, you should see a substantial reduction in costs associated with backup activities, without compromising your security posture. For best results, assess your specific backup and logging requirements regularly and fine-tune the settings accordingly.
ChatGPT
Perplexity
Gemini AI
Grok AI
