Will reducing log retention affect my ability to debug?

For production: set retention to 90 days. Most incidents are investigated within 24 hours; 90 days covers long-term trend analysis and compliance. For dev/staging: 7 days is enough — if you haven't debugged it within a week, the logs won't help. You can always increase retention temporarily during an incident.

Can I use a different log driver instead of CloudWatch?

Yes — ECS supports awsfirelens (sends to 20+ destinations including S3, Elasticsearch, Datadog), fluentd, and Splunk. However, switching the driver doesn't reduce costs — it moves them. CloudWatch with retention set and log-level filtering is often the cheapest option because you're already in the AWS ecosystem. Third-party services charge per-GB ingestion rates that typically exceed CloudWatch.

How do I estimate my CloudWatch costs before the bill arrives?

CloudWatch Metrics → Logs → IncomingBytes and StoredBytes. Multiply IncomingBytes by $0.50/GB for ingestion cost. Multiply the sum of StoredBytes across log groups by $0.03/GB for storage. Most importantly: check how many log groups have retentionInDays = null (Never Expire). Those are the ones silently accumulating costs.

Does CloudWatch Logs Insights query cost depend on retention period?

No — Insights costs $0.005 per GB of data scanned, regardless of how old the data is. However, shorter retention means less data to scan, which means cheaper queries. A 30-day retention log group has 1/12th the data of a 365-day group — so queries cost proportionally less.

Can I set retention globally across all log groups?

No single command sets retention for all groups. The CLI approach in this article loops through all groups. For Infrastructure as Code: add retention_in_days to every aws_cloudwatch_log_group resource. For existing groups: use the batch script in the skill file (downloadable above). AWS does not offer a global retention default — it's per-group by design.

Use Case

Matt S

Platform engineer at Fortem·June 11, 2026·6 min read

How to Control CloudWatch Logs Costs on ECS?

Your AWS bill shows CloudWatch at $400 this month. You have 15 ECS services logging INFO-level to CloudWatch — with retention set to Never Expire. You didn't configure this. ECS did it by default. Here's how to fix it in 4 steps.

TL;DR

01ECS default log driver sends everything to CloudWatch with retention = Never Expire — you didn't set this, ECS did
024-step fix: set retention (90% impact), filter by log level (5%), Insights instead of streaming (3%), monitor per-service (2%)
03One Terraform line: retention_in_days = 30 — cuts storage cost by 60-80% immediately
04Real example: 15 services, 3 GB/day → $135/mo (before) → $30/mo (after) — 78% savings
05Download the skill file — your AI agent can audit and fix this for you in 5 minutes

Why CloudWatch is silently eating your AWS bill

ECS uses the awslogs driver by default — every container's stdout goes to CloudWatch with no retention policy set. No retention means Never Expire. Logs accumulate forever. Your bill grows every month. You didn't configure this — ECS did.

ECS uses the awslogs driver by default. Every container's stdout and stderr goes to CloudWatch Logs. And here's the part nobody tells you: ECS creates log groups with no retention policy. No retention = Never Expire = logs accumulate forever = your bill grows every month.

Cost component15 services, INFO level, 3 GB/day

Ingestion ($0.50/GB)$45/mo

Storage ($0.03/GB/month)$54/mo (grows every month)

Insights queries ($0.005/GB)$36/mo (5 queries/day)

Total$135/mo

Key insight

Three separate charges on the same data. Ingestion is pay-what-you-send. Storage is pay-what-you-keep. Insights is pay-what-you-scan. ECS defaults mean you pay all three — with no upper bound — on every log line your application prints.

Download the skill file — let AI fix it

Before diving into the manual steps — here's a skill file your AI agent can run. It scans your CloudWatch log groups, finds the ones bleeding money, and optionally fixes them. Everything runs locally on your machine against your AWS account.

CloudWatch Cost Optimizer

Finds log groups without retention, estimates monthly cost, identifies top log producers, and applies retention policies — all read-only by default, changes only with your confirmation.

✓ Read-only by default·✓ Runs locally·✓ You approve every change

Drop into Claude Code, OpenCode, or Codex — the agent executes the steps

Step 1 — Set retention on every log group

One Terraform line — retention_in_days = 30 — cuts storage cost by 60-80%. Find every log group with no retention, set it to something sensible, and stop paying for logs from six months ago.

This single change cuts 60-80% of your CloudWatch storage cost. Find every log group with no retention, set it to something sensible.

Find groups without retention:

bash

aws logs describe-log-groups \
    --query 'logGroups[?retentionInDays==`null`].[logGroupName,storedBytes]' \
    --output table

Set 30-day retention on one group:

bash

aws logs put-retention-policy \
    --log-group-name "/aws/ecs/your-service" \
    --retention-in-days 30

Terraform — the one-liner that saves you $$$:

hcl

resource "aws_cloudwatch_log_group" "ecs_service" {
  name              = "/ecs/${var.env_prefix}-${var.service_name}"
  retention_in_days = 30  # ← was null (Never Expire). Now 30 days.
}

EnvironmentRetentionWhy

Production90 daysCompliance + incident investigation

Staging30 daysRecent deploy history

Dev / QA7 daysActive development only

CI/CD / Build1 dayDon't store ephemeral build logs

Step 2 — Filter by log level

Spring Boot, Express, Django — all default to INFO. A single web server at INFO generates 100-500× more log volume than at WARN. Switch production to WARN, keep INFO for staging.

“CloudWatch Logs charges $0.50 per GB ingested and $0.03 per GB stored per month. There are no free tiers for Logs.”
— aws.amazon.com/cloudwatch/pricing, verified June 2026

Spring Boot, Express, Django — they all default to INFO-level logging. That means every HTTP request, every database query, every cache hit generates a log line. Production doesn't need INFO. Switch to WARN.

bash

# Find which log groups ingest the most data (last 7 days)
aws logs start-query \
    --log-group-name "/aws/ecs/prod-api" \
    --start-time $(date -v-7d +%s) \
    --end-time $(date +%s) \
    --query-string "stats count() by @logStream | sort count desc | limit 10"

# Check your framework's log level:
# Spring Boot: logging.level.root=WARN in application.properties
# Express: set LOG_LEVEL=warn
# Django: LOGGING['root']['level'] = 'WARNING'

Key insight

A single INFO-level web server generates 100-500× more log volume than the same server at WARN. If you're paying $0.50/GB for ingestion, every unnecessary log line costs you money — twice (once to ingest, once to store).

Step 3 — Use Insights instead of streaming everything

Streaming all logs to Datadog or Splunk costs 2-3× more than keeping them in CloudWatch. Use Insights for debugging — query on demand at $0.005/GB scanned. For compliance, subscription filter to S3.

Streaming all logs to Datadog, Splunk, or a self-hosted ELK stack costs 2-3× more than keeping them in CloudWatch. For debugging, use CloudWatch Logs Insights — query on demand, pay per GB scanned ($0.005/GB), not per GB ingested.

bash

# Find errors in the last hour across all services
aws logs start-query \
    --log-group-name "/aws/ecs/prod-api" \
    --start-time $(date -v-1H +%s) \
    --end-time $(date +%s) \
    --query-string "fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 50"

# For compliance: subscription filter → S3 (cheap, durable)
aws logs put-subscription-filter \
    --log-group-name "/aws/ecs/prod-api" \
    --filter-name "AllToS3" \
    --filter-pattern "" \
    --destination-arn "arn:aws:firehose:..."

Step 4 — Find which service costs the most

You know CloudWatch costs $400. You don't know which service is responsible. One Insights query groups by log stream and ranks by byte volume — 10 lines of SQL, 5 minutes, you have your answer.

You know CloudWatch costs $400. You don't know which of your 15 services is responsible for $300 of it. This Insights query tells you.

bash

# Top log producers by byte volume (last 7 days)
aws logs start-query \
    --log-group-name "/aws/ecs/prod-api" \
    --start-time $(date -v-7d +%s) \
    --end-time $(date +%s) \
    --query-string "stats sum(strlen(@message)) as totalBytes by @logStream | sort totalBytes desc | limit 10"

Once you know which service generates the most logs, go to that service and do three things: (1) check its log level, (2) check if it's logging stack traces on every request, (3) check if it's logging health check pings. Those three fix 90% of high-volume log problems. And when you're done with CloudWatch, the next invisible cost is per-environment attribution.

FAQ

If you read this, you might also want to know

How do I switch ECS from awslogs to another log driver?

Change the logConfiguration in your task definition. ECS supports awsfirelens (20+ destinations), fluentd, syslog, json-file, and Splunk. The switch is per-container — you update the task definition and redeploy. Existing log groups in CloudWatch stay as-is until you delete them.

Can I archive logs to S3 and delete them from CloudWatch?

Yes — create a subscription filter with a Kinesis Firehose destination that writes to S3. Then set retention on the original log group to 7 days. The logs flow to S3 (durable, cheap) and expire from CloudWatch (no ongoing storage cost). S3 lifecycle rules can transition to Glacier after 90 days.

How do I set up a CloudWatch billing alarm?

CloudWatch → Alarms → Create alarm → select 'Billing' metric → 'Total Estimated Charge'. Set threshold at your monthly budget ($300, $500, etc.). Add SNS notification → email/Slack/PagerDuty. This catches cost spikes early — before the bill arrives.

Logs are one cost

Your entire fleet
is another.

CloudWatch is one line item. Environment scheduling, per-service cost visibility, and developer self-service are the rest. Fortem shows every cost, every environment, in one place.

Run Fleet Audit →Book a call

Use Case

Why Can't You See Per-Environment AWS Costs?

Cost Explorer shows the total. Tags miss the $90/mo per environment of ALB, NAT, and CloudWatch.

Guide

How to Cut AWS ECS Fargate Costs by 65%

Scheduling, right-sizing, Spot, and orphaned environments — the four methods that take a fleet from expensive to manageable.