Will reducing log retention affect my ability to debug?

For production: set retention to 90 days. Most incidents are investigated within 24 hours; 90 days covers long-term trend analysis and compliance. For dev/staging: 7 days is enough — if you haven't debugged it within a week, the logs won't help. You can always increase retention temporarily during an incident.

Can I use a different log driver instead of CloudWatch?

Yes — ECS supports awsfirelens (sends to 20+ destinations including S3, Elasticsearch, Datadog), fluentd, and Splunk. However, switching the driver doesn't reduce costs — it moves them. CloudWatch with retention set and log-level filtering is often the cheapest option because you're already in the AWS ecosystem. Third-party services charge per-GB ingestion rates that typically exceed CloudWatch.

How do I estimate my CloudWatch costs before the bill arrives?

CloudWatch Metrics → Logs → IncomingBytes and StoredBytes. Multiply IncomingBytes by $0.50/GB for ingestion cost. Multiply the sum of StoredBytes across log groups by $0.03/GB for storage. Most importantly: check how many log groups have retentionInDays = null (Never Expire). Those are the ones silently accumulating costs.

Does CloudWatch Logs Insights query cost depend on retention period?

No — Insights costs $0.005 per GB of data scanned, regardless of how old the data is. However, shorter retention means less data to scan, which means cheaper queries. A 30-day retention log group has 1/12th the data of a 365-day group — so queries cost proportionally less.

Can I set retention globally across all log groups?

No single command sets retention for all groups. The CLI approach in this article loops through all groups. For Infrastructure as Code: add retention_in_days to every aws_cloudwatch_log_group resource. For existing groups: use the batch script in the skill file (downloadable above). AWS does not offer a global retention default — it's per-group by design.

Use Case

Matt S

Platform engineer at Fortem·June 11, 2026·6 min read

How to Control CloudWatch Logs Costs on ECS?

Your AWS bill shows CloudWatch at $400 this month. You have 15 ECS services logging INFO-level to CloudWatch — with retention set to Never Expire. You didn't configure this. ECS did it by default. The fix takes 4 steps.

TL;DR

01ECS default log driver sends everything to CloudWatch with retention = Never Expire — you didn't set this, ECS did
024-step fix: set retention (90% impact), filter by log level (5%), Insights instead of streaming (3%), monitor per-service (2%)
03One Terraform line: retention_in_days = 30 — cuts storage cost by 60-80% immediately
04Real example: 15 services, 3 GB/day → $135/mo (before) → $30/mo (after) — 78% savings
05Download the skill file — your AI agent can audit and fix this for you in 5 minutes

Why CloudWatch is silently eating your AWS bill

ECS creates CloudWatch log groups with no retention policy by default — logs accumulate forever at $0.50/GB ingestion plus $0.03/GB/month storage, with no upper bound. Every container's stdout goes to CloudWatch. Logs accumulate forever and your bill grows every month. You did not configure this.

The part that surprises most teams: ECS creates log groups with no retention policy. No retention = Never Expire = logs accumulate forever = your bill grows every month. We audited a 15-service fleet where CloudWatch was $135/month — more than the compute cost for two of the environments combined. Retention is one lever; right-sizing and scheduling are the rest of the picture.

Cost component15 services, INFO level, 3 GB/day

Ingestion ($0.50/GB)$45/mo

Storage ($0.03/GB/month)$54/mo (grows every month)

Insights queries ($0.50/GB)$36/mo (5 queries/day)

Total$135/mo

Key insight

Three separate charges on the same data. Ingestion is pay-what-you-send. Storage is pay-what-you-keep. Insights is pay-what-you-scan. ECS defaults mean you pay all three — with no upper bound — on every log line your application prints.

Download the skill file — let AI fix it

The downloadable skill file lets your AI agent scan all CloudWatch log groups, identify which ones lack retention, estimate monthly cost per group, and apply fixes — without writing a line of code. Everything runs locally on your machine against your AWS account.

CloudWatch Cost Optimizer

Finds log groups without retention, estimates monthly cost, identifies top log producers, and applies retention policies — all read-only by default, changes only with your confirmation.

✓ Read-only by default·✓ Runs locally·✓ You approve every change

Drop into Claude Code, OpenCode, or Codex — the agent executes the steps

Step 1 — Set retention on every log group

Adding retention_in_days = 30 to every aws_cloudwatch_log_group Terraform resource cuts CloudWatch storage cost by 60–80% immediately — it is the single highest-impact change in this guide. Find every log group without retention and set it to something sensible.

This single change has the biggest impact of any step in this guide. Every log group with Never Expire keeps accumulating data you will never query. The commands below find them and set a sensible ceiling.

Find groups without retention:

bash

aws logs describe-log-groups \
    --query 'logGroups[?retentionInDays==`null`].[logGroupName,storedBytes]' \
    --output table

Set 30-day retention on one group:

bash

aws logs put-retention-policy \
    --log-group-name "/aws/ecs/your-service" \
    --retention-in-days 30

Terraform — the one-liner that saves you $$$:

hcl

resource "aws_cloudwatch_log_group" "ecs_service" {
  name              = "/ecs/${var.env_prefix}-${var.service_name}"
  retention_in_days = 30  # ← was null (Never Expire). Now 30 days.
}

EnvironmentRetentionWhy

Production90 daysCompliance + incident investigation

Staging30 daysRecent deploy history

Dev / QA7 daysActive development only

CI/CD / Build1 dayDon't store ephemeral build logs

Step 2 — Filter by log level

Switching ECS production services from INFO to WARN log level reduces ingested log volume by one to two orders of magnitude, cutting both the $0.50/GB ingestion and $0.03/GB storage charges. Switch production to WARN, keep INFO for staging.

“CloudWatch Logs charges $0.50 per GB ingested, $0.03 per GB stored per month, and $0.50 per GB scanned by Logs Insights queries — beyond the 5 GB/month free tier.”
— aws.amazon.com/cloudwatch/pricing, verified June 2026

Spring Boot, Express, Django — they all default to INFO-level logging. That means every HTTP request, every database query, every cache hit generates a log line. Production doesn't need INFO. Switch to WARN.

bash

# Find which log groups ingest the most data (last 7 days)
aws logs start-query \
    --log-group-name "/aws/ecs/prod-api" \
    --start-time $(date -v-7d +%s) \
    --end-time $(date +%s) \
    --query-string "stats count() by @logStream | sort count desc | limit 10"

# Check your framework's log level:
# Spring Boot: logging.level.root=WARN in application.properties
# Express: set LOG_LEVEL=warn
# Django: LOGGING['root']['level'] = 'WARNING'

Key insight

An INFO-level web server can generate one to two orders of magnitude more log volume than the same server at WARN. If you're paying $0.50/GB for ingestion, every unnecessary log line costs you money — twice (once to ingest, once to store).

Step 3 — Use Insights instead of streaming everything

Use CloudWatch Logs Insights to query on demand at $0.50/GB scanned rather than streaming every log line to a third-party tool that charges separately for ingestion and indexing. For compliance, subscription filter to S3.

Datadog's log pricing is two-part: ingestion is billed separately from indexing (making logs searchable). Once you index everything for debugging — which is the point of streaming logs there — the combined cost per GB is several times CloudWatch's ingest ($0.50/GB) + storage ($0.03/GB) total. For debugging, use CloudWatch Logs Insights instead — query on demand, pay per GB scanned ($0.50/GB), not per GB ingested or indexed.

“Datadog charges separately for log ingestion and for indexing logs to make them searchable — to query logs during incident response, they need to be indexed.”
— datadoghq.com/pricing, verified June 2026

bash

# Find errors in the last hour across all services
aws logs start-query \
    --log-group-name "/aws/ecs/prod-api" \
    --start-time $(date -v-1H +%s) \
    --end-time $(date +%s) \
    --query-string "fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 50"

# For compliance: subscription filter → S3 (cheap, durable)
aws logs put-subscription-filter \
    --log-group-name "/aws/ecs/prod-api" \
    --filter-name "AllToS3" \
    --filter-pattern "" \
    --destination-arn "arn:aws:firehose:..."

Step 4 — Find which service costs the most

One Insights query grouping by log stream and sorting by byte volume identifies which ECS service is responsible for the majority of your CloudWatch bill — run it in under 5 minutes. You don't know which service is responsible until you run it.

Total CloudWatch cost is $400 — but which of your 15 services is responsible for $300 of it? This Insights query tells you in 5 minutes.

bash

# Top log producers by byte volume (last 7 days)
aws logs start-query \
    --log-group-name "/aws/ecs/prod-api" \
    --start-time $(date -v-7d +%s) \
    --end-time $(date +%s) \
    --query-string "stats sum(strlen(@message)) as totalBytes by @logStream | sort totalBytes desc | limit 10"

Once you know which service generates the most logs, go to that service and do three things: (1) check its log level, (2) check if it's logging stack traces on every request, (3) check if it's logging health check pings. Those three fix 90% of high-volume log problems. And when you're done with CloudWatch, the next invisible cost is per-environment attribution.

FAQ

If you read this, you might also want to know

How do I switch ECS from awslogs to another log driver?

Change the logConfiguration in your task definition. ECS supports awsfirelens (20+ destinations), fluentd, syslog, json-file, and Splunk. The switch is per-container — you update the task definition and redeploy. Existing log groups in CloudWatch stay as-is until you delete them.

Can I archive logs to S3 and delete them from CloudWatch?

Yes — create a subscription filter with a Kinesis Firehose destination that writes to S3. Then set retention on the original log group to 7 days. The logs flow to S3 (durable, cheap) and expire from CloudWatch (no ongoing storage cost). S3 lifecycle rules can transition to Glacier after 90 days.

How do I set up a CloudWatch billing alarm?

CloudWatch → Alarms → Create alarm → select 'Billing' metric → 'Total Estimated Charge'. Set threshold at your monthly budget ($300, $500, etc.). Add SNS notification → email/Slack/PagerDuty. This catches cost spikes early — before the bill arrives.

Logs are one cost

Your entire fleet
is another.

CloudWatch is one line item. Environment scheduling, per-service cost visibility, and developer self-service are the rest. Fortem shows every cost, every environment, in one place.

Run Fleet Audit →Book a call

Use Case

Why Can't You See Per-Environment AWS Costs?

Cost Explorer shows the total. Tags miss the $90/mo per environment of ALB, NAT, and CloudWatch.

Guide

How to Cut AWS ECS Fargate Costs by 65%

Scheduling, right-sizing, Spot, and orphaned environments — the four methods that take a fleet from expensive to manageable.