TL;DR: CloudWatch Logs now has two classes: Standard, and Infrequent Access at roughly half the price on both ingestion ($0.25/GB) and storage ($0.015/GB-month). The catch is a hard disable list: no metric filters, no subscription filters, no Live Tail — and moving a group with an existing metric filter silently flatlines the metric while the alarm looks fine in the console. IA is a clean 50% discount for write-and-forget logs (VPC Flow Logs, audit trails); it's a trap for anything you alarm on.
The numbers
- Standard: ~$0.50/GB ingest, ~$0.03/GB-month store — all features
- IA: ~$0.25/GB ingest, ~$0.015/GB-month store — Insights queries still work (slower scans); filters/Live Tail/anomaly detection don't
- Worth the ceremony above ~500 GB stored per group, or when total log storage exceeds
$200/month; 10 TB of stored logs saves **$1,800/year** on storage alone - Field example: 6 TB of VPC Flow Logs across 4 VPCs at
$400/month (ingest + store) → **$200/month** on IA with no functional loss
Do this
-
Run the three-question safety check per candidate group: no metric filters, no subscription filters, queried less than ~weekly. All three must pass:
aws logs describe-metric-filters --log-group-name /aws/vpc/flow-logs aws logs describe-subscription-filters --log-group-name /aws/vpc/flow-logs -
Create the IA group and cut the producer over — there is no in-place conversion:
aws logs create-log-group \ --log-group-name /aws/vpc/flow-logs-ia \ --log-group-class INFREQUENT_ACCESSPoint the producer (Flow Logs subscription, service config) at the new group; give the old Standard group a short retention so it ages out. Terraform:
log_group_class = "INFREQUENT_ACCESS". -
Still set retention — IA is cheaper, not free; Never-Expire × IA × forever still grows.
-
Pick the right tool for the retention window: 30 days–1 year with occasional Insights queries → IA. Multi-year compliance → S3 + Glacier via Athena is ~10× cheaper than IA storage (a fintech in the source workflow paid ~$5/month on S3 for 1.2 TB that IA would have held at ~$18).
Gotchas
- The silent-alarm failure is the big one: IA doesn't warn about existing metric filters — the metric just stops updating while the alarm sits green. Audit filters before moving anything.
- The disable list is disabled, not degraded: no subscription streaming to OpenSearch/Lambda, no Live Tail, no log-anomaly detection, restricted as a cross-account destination.
- Dormant-app log groups are the least-safe candidates — they're exactly where forgotten filters live. Often the better move is deleting the group.
- Fix retention first. A Never-Expire group at IA prices still loses to a 30-day Standard group over time; class is step 3 in the pipeline, after retention and ingestion reduction.
- Small groups aren't worth it — half of $2/month is $1.
Skip this if
- The group feeds any alarm, dashboard, metric filter, or subscription — keep Standard (or refactor to EMF metrics from the app first).
- Retention is multi-year — S3 archive wins by an order of magnitude.
- Your bill is ingestion-dominated — halving ingest helps, but sampling/filtering at the source can cut 90%; do that first.