|
|
|
|
|
|
by acdha
1407 days ago
|
|
|
I think this is a natural tendency to get a large bill and want it to be somebody else’s fault. The two cost drivers mentioned are S3 access logs and VPC flow logs. S3 access logs are required by most security standards and are the only way to get that feature: if you need it, you’re going to be setting those up in whatever cloud security tool you pick or build. This is also odd with the request to only monitor some buckets - not enabling logging is exactly how you’re intended to do that. VPC flow logs are odd, too: you actually don’t need to enable them for Guard Duty - one of its selling points is that you can globally enable it without the possibility of one of your organization’s accounts having it disabled due to accident or malice – but again, if your security policy requires this there’s no shortcut for any tool: you can get figures quickly before you run through the free tier and use those for your budgets. The DNS logging points are handled by separate products: if you want those features, check out the Route 53 resolver logging and firewall docs: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/re... https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/re... |
|
|