Cost

Set retention on CloudWatch log groups

By default log groups keep data forever — set a retention policy and let AWS prune the long tail automatically.

12 min·10 sections·AWS

Last reviewed 27 May 2026

Log retention: the basics

What does it mean for a log group to have no retention policy?

Every CloudWatch log group has a retentionInDays setting. When you create a group manually it defaults to null — which AWS renders in the console as "Never Expire." That's not marketing language; it is literally the policy. Logs ingested today will sit in the group until somebody, sometime, deletes them by hand.

Most log groups in a typical AWS account weren't created by hand. Lambda creates one the first time a function logs. ALB, API Gateway, ECS, EKS, RDS Performance Insights, VPC Flow Logs, CodeBuild, Step Functions, AppSync — all of them auto-create groups on first use, and every single one of those groups is born with no retention. They quietly grow for years before anyone runs a bill audit.

Wastage checks flag any log group with retentionInDays = null (or, less commonly, a retention that's obviously wrong for the data — debug logs kept for 10 years, compliance logs kept for 3 days). The fix is one API call per group. The hard part isn't applying it; the hard part is deciding, for each group, what "right" actually is.

In this lesson you'll learn how CloudWatch Logs is actually billed, why ingestion almost always dominates the line item but storage compounds over years, how to pick retention windows by log purpose, and how to bulk-fix an account that's been running with no policy for a while. You'll also see how to stop the bleeding so newly auto-created log groups don't start the cycle over again.

Fun fact

Lambda's never-expiring legacy

Lambda has auto-created log groups since 2014 — and for ten years every single one was born with Never Expire. In late 2023 AWS finally added an account-level default retention you can set, but it only applies to new log groups Lambda creates after you set it. Every legacy group still sits at infinite retention until someone fixes it. Mature accounts routinely have 40,000+ Lambda log groups, most empty or near-empty, a few hoarding gigabytes of data nobody's read since 2019.

Setting retention in action

Nina runs platform infra at a SaaS company. The CloudWatch line on the monthly invoice has crept from $400 to $2,800 over three years. Ingestion explains most of it — they ship more logs than they used to — but storage is now a third of the bill and growing.

She lists every log group in the production account and pipes it through jq to count how many have no retention. The answer is 4,612 out of 5,108. The largest single offender is a /aws/lambda/legacy-image-processor group from 2021 holding 38 GB of debug output for a function that was decommissioned 18 months ago.

She applies a default policy: 30 days for application logs, 7 days for debug groups, 400 days for the handful of audit groups. Storage drops by 71% over the next two weeks as AWS prunes the long tail automatically.

First, list every log group in the account and find the ones with no retention set.

$ aws logs describe-log-groups --query 'logGroups[?retentionInDays==`null`].[logGroupName,storedBytes]' --output table

----------------------------------------------------------------------

| DescribeLogGroups |

+----------------------------------------------------+---------------+

| /aws/lambda/legacy-image-processor | 40802189312 |

| /aws/lambda/billing-cron | 12533493760 |

| /aws/apigateway/welcome | 94371840 |

| /aws/codebuild/frontend-deploy | 3221225472 |

| /ecs/payments-service | 8589934592 |

| /aws/lambda/old-stripe-webhook | 1073741824 |

+----------------------------------------------------+---------------+

# 4,612 groups returned. Top 6 alone hold 62 GB at $0.03/GB-mo = $22.40/mo, forever.

Log groups with retentionInDays = null and their stored byte counts.

Now apply a 30-day retention policy to one of them and watch CloudWatch start pruning.

$ aws logs put-retention-policy --log-group-name /aws/lambda/legacy-image-processor --retention-in-days 30

# Command returns no output on success.

$ aws logs describe-log-groups --log-group-name-prefix /aws/lambda/legacy-image-processor

{

"logGroups": [

{

"logGroupName": "/aws/lambda/legacy-image-processor",

"retentionInDays": 30,

"storedBytes": 40802189312

}

]

}

# AWS will prune anything older than 30 days in the next 24-72 hours.

PutRetentionPolicy is idempotent and instant — pruning happens asynchronously.

How CloudWatch Logs is actually billeddeep dive

CloudWatch Logs has two main charges in every region: ingestion at $0.50/GB and storage at $0.03/GB-month (Standard class). Ingestion is paid once, at write time, on the compressed bytes shipped. Storage is paid every month the data sits there, on the same compressed footprint. For a noisy app the ingestion bill almost always dominates — you can pay $500 ingesting in a single day and only $30 to store the result for the rest of the month.

What changes that math is time. After about 17 months of sitting in a Standard log group, cumulative storage cost has matched the original ingestion cost. After three years it has more than doubled it. Most accounts that have never set retention have logs from 2019 still on the bill — and the storage line has quietly become the bigger of the two. Setting retention doesn't refund the ingestion you've already paid, but it stops the storage meter from running on data you don't read.

In 2023 AWS introduced an Infrequent Access (IA) log class at $0.0075/GB-month — 75% cheaper storage but $0.25/GB to query, and you can't use Live Tail or metric filters on it. IA is the right call for groups you keep purely for forensics or compliance and almost never actually look at; it is the wrong call for anything an on-call engineer needs to grep during an incident.

# Inspect a single group's retention + class + size.
aws logs describe-log-groups \
  --log-group-name-prefix /aws/lambda/payments \
  --query 'logGroups[*].{name:logGroupName, days:retentionInDays, class:logGroupClass, gb:storedBytes}' \
  --output table

# Move a low-traffic forensic group to Infrequent Access.
aws logs put-log-group-class \
  --log-group-name /aws/security/audit-trail \
  --log-group-class INFREQUENT_ACCESS

What is the impact of never-expiring log groups?

The direct cost is the easy part. A single ECS service shipping 100 MB/day of debug output at default retention will, after five years, be sitting on roughly 180 GB of stored data — about $5.40/month, forever, for logs nobody will ever read. Multiply by a few hundred services and the storage line on CloudWatch becomes thousands of dollars a month of pure deadweight.

The second-order impact is operational. Log Insights queries get slower the more data they have to scan, and queries are billed per GB scanned. A team that runs a weekly forensics query across five years of data is paying both for storage and for the query scan — when 99% of investigations only need the last 30 days. Pruning shortens query times and cuts the scan-cost line at the same time.

On the compliance side the calculus reverses. Some logs have to be kept — CloudTrail management events, PCI-DSS audit trails, HIPAA access logs — and storing them in CloudWatch Logs for years at $0.03/GB-month is much more expensive than the standard pattern: ship them to S3 via a subscription filter, apply an S3 lifecycle rule to transition to Glacier Deep Archive at 90 days, and pay $0.00099/GB-month from there. CloudWatch is for hot, queryable logs; S3 + Glacier is for cold, compliance logs.

The risk side: a log group with no retention is also a data-residency liability. Personal data, API tokens, or stack traces with customer IDs sit there indefinitely, expanding the blast radius of any IAM mishap that gives someone read access. Retention is a privacy and security control as much as a cost one.

How do you set retention safely across an account?

The fix is a four-step loop: inventory what you have, decide retention by purpose, apply the change, then prevent the next generation of orphan groups.

1. Inventory every log group and its size

Use aws logs describe-log-groups (it paginates — handle the nextToken) and dump everything to JSON. You want logGroupName, retentionInDays, storedBytes, and logGroupClass. Sort by storedBytes descending; the top 1% of groups almost always account for >80% of the storage. Fix those first and you've claimed most of the savings without touching the long tail.

2. Pick retention by purpose, not by service

Debug and ephemeral build logs: 3-7 days. Application logs an on-call needs to grep during an incident: 14-30 days. Business-critical app logs for trend analysis: 90 days. Audit/compliance logs (CloudTrail, IAM access analyzer, security tooling): 400 days in CloudWatch, then 7+ years archived to S3 + Glacier. Do not pick a uniform retention for the whole account — it will either be too short for compliance or too long for debug.

3. Bulk-apply with PutRetentionPolicy

Loop your inventory through aws logs put-retention-policy --log-group-name $name --retention-in-days $days. The call is idempotent and rate-limited at 5 TPS per account — for 5,000 groups budget about 20 minutes. Pruning happens asynchronously over the following 24-72 hours; do not panic if the bill doesn't drop the same day. For the never-actually-queried compliance groups, follow up with put-log-group-class --log-group-class INFREQUENT_ACCESS for an extra 75% storage saving.

4. Prevent recurrence

Set the account-level Lambda default retention via aws lambda put-function-configuration defaults or your IaC module. Enable the AWS Config managed rule cw-loggroup-retention-period-check so any future group born with no retention triggers a non-compliant finding. For greenfield infra, bake retention into the Terraform/CDK module that creates the group — never let aws_cloudwatch_log_group be defined without a retention_in_days argument.

# Bulk-apply a 30-day default to every group that has no retention set.
aws logs describe-log-groups \
  --query 'logGroups[?retentionInDays==`null`].logGroupName' \
  --output text \
  | tr '\t' '\n' \
  | while read -r LG; do
      echo "Setting 30d on $LG"
      aws logs put-retention-policy \
        --log-group-name "$LG" \
        --retention-in-days 30
    done

# Then enable the Config rule that catches the next one.
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "cw-loggroup-retention-period-check",
  "Source": { "Owner": "AWS", "SourceIdentifier": "CW_LOGGROUP_RETENTION_PERIOD_CHECK" },
  "InputParameters": "{\"MinRetentionTime\":\"30\"}"
}'

Quick quiz

Question 1 of 5

An audit team needs to keep API Gateway access logs for 7 years. The current /aws/apigateway/prod log group has no retention set and is growing. What's the right move?

Keep learning

Dig deeper into CloudWatch Logs pricing, retention strategy, and the AWS Config and IaC patterns that keep policy enforced over time.

You've completed Set retention on CloudWatch log groups. You now know that "Never Expire" is the AWS default, why storage compounds even when ingestion dominates the headline, and how to pick retention by log purpose. The next time the CloudWatch line creeps up on an invoice, you'll have a four-step loop — inventory, decide, bulk-apply, prevent recurrence — ready to run.

Back to the library

Log retention: what it means for the cloud bill

A silent storage meter that compounds for years on data nobody reads

CloudWatch Logs charges two ways: ingestion (paid once at write time) and storage (paid every month the data sits there). By default every log group AWS auto-creates — from Lambda, ECS, API Gateway, and dozens of other services — is born with no expiry. "Never Expire" means the storage meter never stops. In accounts running for more than two or three years, accumulated log storage routinely becomes a material, growing line on the CloudWatch invoice.

The fix costs nothing operationally and requires no architectural change: set a retention window per log group, and AWS deletes the old data automatically. The money question is how long each category of log genuinely needs to be retained. Debug logs from a Lambda function have almost no value after 7 days; a compliance audit trail may need 400 days in hot storage before archiving cheaply to S3 and Glacier. Getting that split right — short windows on ephemeral logs, right-sized windows on everything else — is where most of the savings come from.

This is a FinOps hygiene issue rather than a one-time fix: new services auto-create log groups constantly, and each new group starts with no retention unless you have a guardrail. The durable win is pairing a bulk remediation of existing groups with an account-level default and an AWS Config rule that flags any future group born without a retention policy.

This lesson is for the finance partner who sees CloudWatch as an opaque and steadily-growing line on the AWS invoice. It breaks down exactly how CloudWatch Logs billing works — ingestion once versus storage forever — and shows where the compounding storage cost hides in a mature account. You'll learn how to tier retention windows by log purpose to separate waste from necessary spend, and the two guardrails (an account-level default and an AWS Config rule) that prevent the problem from regenerating. No commands required.

Fun fact

Lambda's never-expiring legacy

How a finance partner surfaces and sizes the log retention problem

Preet is the FinOps analyst for a growth-stage company. At the quarterly cloud cost review the CloudWatch line has grown from $800 to $3,400 over eighteen months — and the engineering lead says ingestion has barely changed. Preet asks for a breakdown: how much is ingestion and how much is storage?

The answer is revealing. Ingestion is flat at about $800/month; storage is $2,600/month and still rising. Preet pulls a report grouping stored bytes by log group age and finds that over 60% of the storage cost comes from log groups more than two years old — dozens of Lambda functions, two decommissioned ECS services, and an API Gateway group that hasn't had a live request in over a year. None of them have ever had a retention policy set.

Preet brings the number to the next engineering sync as a dollar figure with a list: these specific groups account for $1,900/month of storage, and setting a 30-day retention on them costs nothing and requires no architecture change. The team runs the bulk fix that afternoon. Two weeks later the CloudWatch storage line has dropped by $1,700/month — an annualized saving of just over $20,000 for roughly an hour of work.

Why never-expiring logs are a compounding cost and audit liability

The unit economics of CloudWatch storage are simple: $0.03 per GB per month, applied to every byte that hasn't been deleted. There's no volume discount, no automatic tiering, and no expiry unless you set one. A log group storing 200 GB costs $6/month. After a year it has cost $72 — more than most teams spent ingesting it in the first place. After five years it costs $360, and the data inside is almost certainly worthless. This is the compounding structure that makes log hygiene a material FinOps issue, not a minor housekeeping task.

The cost has two components worth separating in a finance review. Storage waste — data sitting in groups long past any operational or compliance need — is pure deadweight. It can be eliminated by setting short retention windows on ephemeral and debug logs. Storage obligation — logs that genuinely need to be retained for compliance — is not waste, but the rate can often be dramatically reduced. Keeping a 400-day compliance log in CloudWatch Standard class at $0.03/GB-month costs roughly 30 times more than archiving it to S3 Glacier Deep Archive at $0.00099/GB-month after the hot period ends.

There is also a hidden query cost. Log Insights charges $0.005 per GB scanned. A forensics query running over five years of accumulated data in a group costs five times more than the same query over one year of data. Retention policy directly reduces query bills as well as storage bills.

For the audit trail: any production log group holding customer PII, API tokens, or transaction data with no retention policy is also a data-residency exposure that shows up in privacy and security reviews. Retention policy is a cross-functional control — cost, compliance, and privacy — and should appear on the risk register alongside the dollar figure.

What finance can drive on log retention remediation

Finance can't run PutRetentionPolicy, but it owns the framing that turns log retention from a one-off cleanup into a durable cost control. Four levers matched to the four-step loop.

1. Commission a storage-sorted inventory with dollar values attached

Ask engineering to produce a report of log groups sorted by stored bytes, with the monthly cost per group calculated at $0.03/GB-month. The top 1% of groups almost always hold 80%+ of the storage cost. With dollar values attached, the prioritization conversation becomes obvious — fix the big groups first and claim most of the saving before touching the long tail.

2. Establish and fund a retention tier matrix

Work with engineering and compliance to agree on retention windows by log category: short windows for debug and ephemeral logs, medium windows for operational logs, and right-sized (not unlimited) windows for audit and compliance logs with archival to S3 and Glacier for the long tail. This is a policy decision, not a technical one, and finance should own co-authoring it because the tier directly determines the recurring storage cost.

3. Track the post-remediation storage trend on the CloudWatch line

Set a 30-day and 90-day cost target for CloudWatch storage in the month following a bulk remediation. Pruning happens asynchronously over days, so the bill drop lags the fix by a week or two — but it should be visible and measurable. If storage plateaus above target, there are groups the sweep missed or new services generating data faster than the policy controls them.

4. Require retention policy in the infrastructure review checklist

Make retentionInDays a mandatory field in any infrastructure review that includes a CloudWatch log group. A new service that ships without a declared retention window should be a blocking comment, not a to-do — because the default is "forever" and the cost starts accumulating from day one. This is the cheapest guardrail: a review checkpoint costs nothing and prevents the next five years of silent accumulation.

Quick quiz

Question 1 of 5

A FinOps review finds that CloudWatch storage has grown from $600/month to $4,100/month over three years. Engineering confirms ingestion has not changed. The growth is concentrated in 80 log groups from decommissioned Lambda functions and ECS services. As the finance partner, what's the right response?

Keep learning

Dig deeper into CloudWatch Logs pricing, retention strategy, and the AWS Config and IaC patterns that keep policy enforced over time.

You've finished the finance view of log retention. You know the unit economics — $0.03/GB-month compounding forever on data that stopped being useful years ago — and the three levers that turn this into a controlled cost: a retention tier matrix agreed with engineering and compliance, a post-remediation storage trend to track against, and a mandatory retention field in the infrastructure review checklist. The CloudWatch storage line is now a number with a policy behind it, not a mystery that grows every quarter.

Back to the library

Log retention: the governance summary

Cloud logs grow forever by default — retention policy is how you stop paying for data you don't use

AWS stores every log your cloud workloads generate until someone explicitly sets a limit. Without a retention policy, log storage compounds month over month — most organizations don't notice until the CloudWatch line on the bill is thousands of dollars a month, the majority of which is data from services that were shut down years ago. This is infrastructure debt that accumulates silently.

The remedy is a retention policy: a decision, per log category, about how long data genuinely needs to exist. That's a governance question, not a technical one. Debug logs have no value after a week; regulatory access logs may need seven years, though they should be archived cheaply to object storage rather than kept in expensive hot storage indefinitely. A mature organization has this decided by policy and enforced by tooling, so every new service that comes online inherits the right behavior automatically rather than defaulting to "keep forever."

A short read for the leader who wants to understand why log costs keep growing and what the policy answer looks like. You'll get the plain-English version of why AWS defaults to keeping logs forever, why that creates a compounding cost problem in any account older than a year or two, and what a mature organization does differently: a tiered retention policy by log purpose, enforced by tooling rather than relying on individual teams to remember. No implementation detail.

Fun fact

Lambda's never-expiring legacy

What it looks like when an organization gets log retention right

At one company the engineering director, Sasha, used to field a quarterly "why is CloudWatch so expensive" question with no good answer. After a FinOps review flagged log storage as the culprit, the team did two things: ran a one-time bulk remediation on the 4,000-plus groups with no retention, and set a policy that every new service must declare a retention window in its infrastructure template before it ships.

Twelve months later Sasha's answer to the same question was a one-liner: CloudWatch costs $900/month, it's stable, and the breakdown by service is on the internal dashboard. The storage line had dropped from a third of the bill to under 10%. No architectural changes, no vendor negotiations — just a governance default that the tooling enforces automatically.

That's the right outcome for this control: not a heroic cleanup every year, but a standing policy that makes "never expire" impossible to reach production. The annual saving pays for the hour of setup many times over, and the CFO stops seeing CloudWatch as a mystery line.

Why this appears on the FinOps report

Every cloud workload writes logs. By default AWS keeps them forever. In an organization running for more than a year or two, that default quietly compounds into a significant storage cost — and the data generating it is, in the vast majority of cases, debug output and operational noise that nobody will ever look at again. This is structural waste: it grows automatically and stops only when someone sets a policy.

The risk dimension extends beyond cost. Log groups with no retention are also a data-residency liability: customer records, session tokens, and internal stack traces accumulate indefinitely, widening the exposure window for any unauthorized access event. A retention policy is simultaneously a cost control and a privacy control.

The organizational signal is straightforward. An account where the majority of log groups have no retention policy is an account where infrastructure is being provisioned without governing defaults — services are created, they generate data, and nobody has decided how long that data matters. The corrective is a policy, not a one-time cleanup: a decision on retention by log category, enforced by tooling, so every service that comes online inherits the right behavior automatically.

The leadership posture on log retention

The executive handle isn't to manage log groups directly — it's to ensure that log data has a defined lifecycle, enforced by policy, rather than accumulating indefinitely by default.

1. Require retention-by-purpose to be a written policy

Ask for a one-page matrix: what type of log, how long in hot storage, where it goes after that, and who owns the decision. The existence of this document is the governance signal. Without it, every team makes its own call — usually by leaving the AWS default in place — and the storage bill reflects the aggregate of those non-decisions.

2. Separate the cleanup from the prevention

A one-time bulk remediation is valuable but not sufficient. Ask what guardrail prevents the next cohort of services from defaulting to never-expire. The answer should be a combination of an account-level default, an AWS Config rule that flags violations, and a requirement that infrastructure templates declare retention explicitly. Prevention is the durable win; cleanup is the catch-up.

3. Frame compliance log archival as a procurement decision

Keeping seven years of audit logs in CloudWatch Standard class costs roughly 30 times more than archiving them to Glacier Deep Archive after the hot period ends. For large organizations the delta is tens of thousands of dollars a year. This is a straightforward cost-versus-access trade-off that belongs in the cloud governance review, not left to individual engineering teams.

Quick quiz

Question 1 of 5

Your cloud cost review shows CloudWatch storage costs have tripled in two years. The FinOps team reports that over 4,000 log groups have no retention policy and nearly all of them predate services that are no longer running. Engineering can run a bulk fix in an afternoon. What is the right leadership response?

Keep learning

Dig deeper into CloudWatch Logs pricing, retention strategy, and the AWS Config and IaC patterns that keep policy enforced over time.

That's the lesson. Two takeaways: cloud logs grow forever by AWS default, and the fix is a policy — retention windows by log category, enforced by tooling — not a recurring cleanup. The leadership question is whether your organization has that policy written down and backed by a guardrail that makes "never expire" impossible to reach production. If it does, CloudWatch storage is a predictable, manageable line. If it doesn't, the bill will keep growing every time a new service ships.

Back to the library

Part of the learning path Cut your storage bill

Set retention on CloudWatch log groups

Log retention: the basics

Lambda's never-expiring legacy

Setting retention in action

How CloudWatch Logs is actually billeddeep dive

What is the impact of never-expiring log groups?

How do you set retention safely across an account?

1. Inventory every log group and its size

2. Pick retention by purpose, not by service

3. Bulk-apply with PutRetentionPolicy

4. Prevent recurrence

Quick quiz

Keep learning

Log retention: what it means for the cloud bill

Lambda's never-expiring legacy

How a finance partner surfaces and sizes the log retention problem

Why never-expiring logs are a compounding cost and audit liability

What finance can drive on log retention remediation

1. Commission a storage-sorted inventory with dollar values attached

2. Establish and fund a retention tier matrix

3. Track the post-remediation storage trend on the CloudWatch line

4. Require retention policy in the infrastructure review checklist

Quick quiz

Keep learning

Log retention: the governance summary

Lambda's never-expiring legacy

What it looks like when an organization gets log retention right

Why this appears on the FinOps report

The leadership posture on log retention

1. Require retention-by-purpose to be a written policy

2. Separate the cleanup from the prevention

3. Frame compliance log archival as a procurement decision

Quick quiz

Keep learning

Related cost lessons