Why Your AWS Logging Bill Is Out of Control

Every few months, someone on your team opens the AWS bill, scrolls to CloudWatch, and says something unprintable. The number is always higher than last month. Nobody can explain why.

This keeps happening because CloudWatch doesn't have a price. It has a pricing spreadsheet. Ingestion is one rate. Storage is another. Every query costs money. Every dashboard widget costs money. Alarms cost money. Cross-region anything costs money. And the numbers change depending on your region.

Where the money actually goes

Let's say you're running a typical setup. Five services, each producing about 4 GB of logs per day. That's 20 GB/day, or about 600 GB/month. Sounds manageable. Here's what CloudWatch charges you:

• Ingestion: $0.50/GB = $300/month
• Storage (after 5GB free): $0.03/GB/month, but data grows over time. With 30-day retention that's about $9/month. Not bad on its own.
• Queries via Logs Insights: $0.005 per GB scanned. Run 20 queries a day across 600 GB and you're at $60/month.
• Dashboards: $3/month per dashboard after the first three. Most teams have 5-10.
• Alarms: $0.10 each for standard, $0.30 for high-resolution. 50 alarms = $5-15/month.

Add it up and you're somewhere between $280 and $400 per month. For 600 GB of logs. And you still had to build every dashboard and write every alarm rule yourself.

The real problem isn't the price per GB

The billing model punishes you for actually using your logs. Every time a developer runs a query to debug a production issue, that's a billable event. Every time someone opens a dashboard, the widgets are scanning data. The more you use CloudWatch, the more it costs.

This creates a weird incentive where teams avoid querying their logs because it's expensive. Which defeats the entire purpose of having logs in the first place.

Some teams try to control costs by reducing log verbosity. They drop debug logs, then info logs, then start filtering out anything that isn't an error. By the time they're done, the logs are useless for debugging because all the context is gone.

What 600 GB/month looks like elsewhere

Datadog charges $0.10/GB for ingestion, which sounds cheap until you realize they also charge $2.55 per million events for indexing. If your average log line is 500 bytes, 600 GB is about 1.2 billion events. That's $3,060/month just for indexing. Plus the $0.10/GB ingestion. So you're looking at $3,120/month. For the same 600 GB.

Grafana Cloud charges $0.50/GB for logs, which puts 600 GB at $300/month. Better than Datadog, similar to CloudWatch, but you still have to build dashboards and write alert rules.

With Epok, 600 GB/month is $49. Flat. That includes anomaly detection, new error fingerprinting, silence alerts, pattern clustering, AI root cause analysis, Slack and PagerDuty integration. No per-query fees. No per-dashboard fees. No surprises on the bill.

The fix isn't cheaper storage

Cheaper storage helps, but the bigger issue is what you're paying for. With CloudWatch, you're paying for infrastructure. Disk space, compute cycles, API calls. You're renting a database and building the intelligence layer yourself.

What you actually want is to know when something breaks. You want to know about new errors the moment they appear. You want to know when a service goes silent. You want to know when error rates spike after a deploy.

That's what you should be paying for. Not the storage underneath it.

What switching looks like

If you're already running FluentBit, Vector, Promtail, or the OpenTelemetry Collector, switching is a config change. Point your log shipper at Epok instead of CloudWatch. Your existing log format works as-is.

If you're using the CloudWatch agent directly, you can forward CloudWatch logs to Epok via a Lambda subscription filter. It takes about 15 minutes to set up and you can run both in parallel while you evaluate.

The free tier gives you 150 GB/month with all core detection features. No credit card. No trial period. It's permanently free.

Related