How I Cut AWS CloudWatch Costs by 50%: A VPC Flow Logs Case Study | by Srinu | MediumSitemapOpen in appSign up<br>Sign in
Medium Logo
Get app<br>Write
Search
Sign up<br>Sign in
How I Cut AWS CloudWatch Costs by 50%: A VPC Flow Logs Case Study
Srinu
4 min read·<br>Feb 6, 2026
Listen
Share
Quick Summary: I slashed a client’s AWS bill by 50% with two architectural changes: moving VPC Flow Logs to S3 (Parquet format) and enforcing strict retention policies.
We have all been there. You open the AWS Cost Explorer, filter by “Service,” and see a massive blue bar dominating your chart.<br>Last month, a client came to me with exactly this problem. Their bill was skyrocketing, and the culprit wasn’t EC2 or RDS — it was CloudWatch . Specifically, Vended Logs .<br>For those unaware, “Vended Logs” are logs AWS generates for you automatically — like VPC Flow Logs, Route 53 query logs, or CloudFront access logs. While these are critical for security and troubleshooting, storing them indefinitely in CloudWatch Logs is one of the fastest ways to burn through a budget.<br>Here is why the default setup is a financial trap:<br>High Ingestion Costs: You pay for every GB of data that enters CloudWatch.<br>Expensive Storage: Storing text data in CloudWatch is significantly pricier than S3.<br>The “Hoarding” Issue: By default, many log groups are set to “Never Expire.”<br>The Fix: Strategic Storage Migration<br>After analyzing the client’s usage, I realized they didn’t need milliseconds of latency for these logs. They only reviewed Flow Logs during weekly security audits or specific troubleshooting events.<br>They didn’t need “Hot” storage (CloudWatch). They needed “Cold,” efficient storage (S3).<br>💰 The Cost Comparison<br>The math was undeniable. Here is the breakdown for 1 TB of log data :<br>Option A: CloudWatch Logs (The Old Way)<br>Data Ingestion: ~$0.50 per GB<br>Storage: ~$0.03 per GB/month<br>Total Cost: ~$530 / month<br>Option B: S3 + Parquet (The New Way)<br>S3 Standard Storage: ~$0.023 per GB/month<br>Compression (Parquet): Reduces size by ~90%<br>Total Cost: ~$2.30 / month (plus minimal query costs)
How I Did It (4 Steps)<br>1. Move VPC Flow Logs to S3 with Parquet Format<br>Instead of pointing the Flow Logs to CloudWatch, I pointed them to an S3 bucket. But I didn’t just dump text files there.<br>The Secret Sauce: I selected Parquet as the log file format. Parquet is a columnar storage format that is incredibly efficient. By simply checking this box in the VPC Console, I instantly reduced the data storage footprint by 80–90% through automatic compression.<br>2. Set Up S3 Lifecycle Policies<br>Even in S3, storing old data in the “Standard” tier is a waste of money. I configured a Lifecycle Rule to move data to cheaper tiers as it aged automatically:<br>Days 0–30: S3 Standard (Ready for immediate querying)<br>Days 30+: Move to S3 Glacier Instant Retrieval<br>Days 90+: Move to S3 Glacier Deep Archive (For long-term compliance at ~$0.00099/GB)<br>Days 365: Expire/Delete permanently<br>3. Enforce Retention on CloudWatch Log Groups<br>This was the “Quick Win.” I audited their CloudWatch dashboard and found dozens of log groups with Retention: Never Expire .<br>I applied a strict retention policy based on the log type:<br>Application Logs: 30 Days<br>Debug/Dev Logs: 7 Days<br>Audit/Compliance: 90+ Days<br>You can change this globally or individually in the CloudWatch console settings. This immediately stopped the “zombie data” from accumulating costs.<br>4. Query with Amazon Athena<br>“But wait,” the client asked, “how do I read the logs now?”<br>The answer is Amazon Athena . Since the logs are in S3 (and formatted in Parquet), we can use SQL queries to search them instantly. We only pay for the data scanned during the query, which — thanks to Parquet compression — is pennies on the dollar compared to CloudWatch Insights.
The Results<br>The impact was visible in the very next billing cycle:<br>50% reduction in total CloudWatch costs.<br>85% reduction in storage requirements due to Parquet compression.<br>Zero operational impact on their ability to debug issues.<br>Pro Tip: Don’t wait for the bill shock. Set up AWS Budgets and alerts today. Many engineers are surprised to find that “Logging” costs more than “Compute.”
FAQ<br>What is the Parquet format? It is a columnar storage format optimised for analytics. Unlike CSV or JSON (row-based), Parquet allows tools like Athena to scan only the specific columns you need, making queries faster and cheaper.<br>Will I lose real-time access? S3 delivery has a slight delay (minutes, not seconds). For critical application error logs that trigger alarms, keep using CloudWatch. For bulk traffic logs (VPC Flow Logs), use S3.<br>Can I migrate old logs? You can export old CloudWatch logs to S3, but it incurs an export fee. It is usually more cost-effective to set a retention policy to delete the old data and start fresh with the new S3 architecture.
My Takeaway<br>Optimization isn’t always about re-architecting your app or buying Savings Plans. Sometimes, it’s as simple as choosing the right storage for the right data.<br>If...