All cheat sheets
Operational Efficiencycheat sheet

CloudWatch Logs Infrequent Access

The IA log class halves both ingestion (~$0.25/GB) and storage (~$0.015/GB-month) for write-and-forget log groups — but silently disables metric filters, subscription filters, and Live Tail. Know the disable list before you move anything.

Last reviewed: July 11, 2026

TL;DR: CloudWatch Logs now has two classes: Standard, and Infrequent Access at roughly half the price on both ingestion ($0.25/GB) and storage ($0.015/GB-month). The catch is a hard disable list: no metric filters, no subscription filters, no Live Tail — and moving a group with an existing metric filter silently flatlines the metric while the alarm looks fine in the console. IA is a clean 50% discount for write-and-forget logs (VPC Flow Logs, audit trails); it's a trap for anything you alarm on.

The numbers

  • Standard: ~$0.50/GB ingest, ~$0.03/GB-month store — all features
  • IA: ~$0.25/GB ingest, ~$0.015/GB-month store — Insights queries still work (slower scans); filters/Live Tail/anomaly detection don't
  • Worth the ceremony above ~500 GB stored per group, or when total log storage exceeds $200/month; 10 TB of stored logs saves **$1,800/year** on storage alone
  • Field example: 6 TB of VPC Flow Logs across 4 VPCs at $400/month (ingest + store) → **$200/month** on IA with no functional loss

Do this

  1. Run the three-question safety check per candidate group: no metric filters, no subscription filters, queried less than ~weekly. All three must pass:

    aws logs describe-metric-filters --log-group-name /aws/vpc/flow-logs
    aws logs describe-subscription-filters --log-group-name /aws/vpc/flow-logs
    
  2. Create the IA group and cut the producer over — there is no in-place conversion:

    aws logs create-log-group \
      --log-group-name /aws/vpc/flow-logs-ia \
      --log-group-class INFREQUENT_ACCESS
    

    Point the producer (Flow Logs subscription, service config) at the new group; give the old Standard group a short retention so it ages out. Terraform: log_group_class = "INFREQUENT_ACCESS".

  3. Still set retention — IA is cheaper, not free; Never-Expire × IA × forever still grows.

  4. Pick the right tool for the retention window: 30 days–1 year with occasional Insights queries → IA. Multi-year compliance → S3 + Glacier via Athena is ~10× cheaper than IA storage (a fintech in the source workflow paid ~$5/month on S3 for 1.2 TB that IA would have held at ~$18).

Gotchas

  • The silent-alarm failure is the big one: IA doesn't warn about existing metric filters — the metric just stops updating while the alarm sits green. Audit filters before moving anything.
  • The disable list is disabled, not degraded: no subscription streaming to OpenSearch/Lambda, no Live Tail, no log-anomaly detection, restricted as a cross-account destination.
  • Dormant-app log groups are the least-safe candidates — they're exactly where forgotten filters live. Often the better move is deleting the group.
  • Fix retention first. A Never-Expire group at IA prices still loses to a 30-day Standard group over time; class is step 3 in the pipeline, after retention and ingestion reduction.
  • Small groups aren't worth it — half of $2/month is $1.

Skip this if

  • The group feeds any alarm, dashboard, metric filter, or subscription — keep Standard (or refactor to EMF metrics from the app first).
  • Retention is multi-year — S3 archive wins by an order of magnitude.
  • Your bill is ingestion-dominated — halving ingest helps, but sampling/filtering at the source can cut 90%; do that first.

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing an AWS account for CloudWatch Logs Infrequent Access
(IA) opportunities — and for IA misuse. Use the AWS CLI with READ-ONLY
credentials. Do not create, modify, or delete anything.

1. Per region: aws logs describe-log-groups — capture name, class
   (logGroupClass), storedBytes, retentionInDays.
2. IA candidates = Standard groups that pass ALL THREE safety checks:
   - no metric filters: aws logs describe-metric-filters
     --log-group-name <g> returns empty
   - no subscription filters: aws logs describe-subscription-filters
     --log-group-name <g> returns empty
   - write-and-forget profile (flow logs, audit trails, sporadic
     Lambda logs) — infer from name and note for confirmation.
   Only flag groups where the discount is material: >~500 GB stored
   or portfolio storage >$200/mo.
3. Misuse check: existing IA groups — do any look operationally hot
   (names matching production app logs)? IA disables alarms' metric
   sources SILENTLY; flag any IA group whose name suggests it should
   be alarmed on.
4. Alternatives triage: multi-year-retention candidates are better in
   S3+Glacier (≈10× cheaper than IA storage) — recommend that instead
   where retention ≥ 1 year. Groups whose cost is ingestion-dominated
   need source filtering, not a class change.

Report: candidate table (group | stored GB | filters? | est. $/mo
saved on IA vs S3-archive recommendation), the migration pattern
(create new IA group + cut over producer — no in-place conversion),
and any misuse findings. Change nothing.
Works with any assistant that can run shell commands.

Want the guided version?

The CloudWatch Logs Infrequent Access walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough