Taming the Noise: A Practical Guide to Selective AWS CloudTrail Logging
In a multi-account AWS environment, centralized logging is a cornerstone of security and governance. Enabling CloudTrail at the Organization level to send logs to a central S3 bucket is a standard best practice. However, this approach can create a new problem: an overwhelming flood of data from non-production accounts, leading to increased costs and alert fatigue for your security team. Our team faced this exact issue. With an AWS environment managed by Landing Zone Accelerator, both our production and test account logs were funneled into a single S3 bucket for our SIEM tool. This inflated our Events Per Second (EPS), spiked costs, and generated a stream of low-priority incidents from test accounts, distracting our security team from what truly mattered. The challenge was that the organization-level trail offered no simple option to exclude specific accounts or Organizational Units (OUs). Evaluating the Solutions We considered three potential paths to regain control over our logging st...