When running workloads on Amazon EKS, it’s easy to overlook the cost implications of log ingestion especially for control plane logs. By default, when you enable logs such as api, authenticator, audit, scheduler, and controllerManager, EKS automatically creates log groups in CloudWatch with a naming convention like: /aws/eks/{clustername}/cluster
These logs are stored as STANDARD log storage with no retention policy by default, which means logs are kept indefinitely unless manually deleted. Over time, this can lead to unexpectedly high CloudWatch costs, especially for audit logs which tend to have a high ingestion rate.
A customer of mine had a very large EKS cluster where ingestion nearly reached 800GB/month, as you can imagine this started to influence the bill.
Audit logs are crucial for compliance and troubleshooting, but in most cases they aren’t required for daily access. These logs are primarily used for occasional audits or deep troubleshooting. Keeping them in standard storage with unlimited retention is not always cost-efficient.
AWS doesn’t allow you to directly specify the log group name or retention policy for these control plane logs in the EKS configuration. This means you cannot just set it in your cluster definition, you must create the log group manually with the correct name before enabling the logs.
Here’s the trick:
Create the log group yourself in CloudWatch with the exact name EKS expects:
/aws/eks/MY-EKS-CLUSTER/cluster
Set a retention period that matches your requirements (e.g., 30 days).
Change the storage class to Infrequent Access if these logs are rarely needed.
By doing this, you instruct AWS to store these logs in a more cost-effective way. This can yield substantial savings, in some cases up to 50% reduction in log ingestion costs, depending on your cluster’s workload and log volume.
This is a low-effort optimization with a significant impact on cost efficiency for any EKS environment. It’s especially useful for production environments where audit logs accumulate quickly, but aren’t accessed frequently.