For many organizations running workloads on AWS, Kinesis Data Streams (KDS) has long been a go-to service for moving logs and telemetry data. But while KDS can be powerful, it often is not needed and can quickly become expensive—often costing hundreds of thousands per year just to "move logs from A to B."
In working with prospects and customers, we’ve seen more and more teams ask a critical question:
“Can Cribl Stream replace Kinesis Data Streams while also delivering more value?”
The answer, in many cases, is yes. Let’s walk through how customers are rethinking their telemetry pipelines with Cribl Stream and Edge—and saving significant amounts of money in the process.
The Problem: KDS Sticker Shock
One prospect we spoke with recently was paying around ~$50,000 per month for Kinesis Data Streams. Their use case wasn’t exotic:
Collecting application logs, CloudWatch agent logs, and AWS-native logs
Then using Kinesis Data Streams sending to Kinesis Data Firehose to ship them to Datadog and Amazon S3
That’s it. No complex transformations. Just moving data from point A to point B—and paying a premium to do it.
On top of KDS, their CloudWatch logging bill was another $30K per month, creating a double hit to their budget.
Before diving in, here are a few considerations for this approach:
Your goal is to send to multiple destinations at no extra cost
You’d like to simplify the management of all of these sources of log collection (consolidate agents etc.)
If you rely on CloudWatch Log Insights specifically for querying, that functionality remains in AWS, but Cribl Stream / Edge can capture and deliver similar logs.
Depending on the data sources collected, both options below can be used to optimize costs and improve data resiliency.
Note: If you are sending AWS VPC Flow Logs or AWS CloudTrail, these services natively deliver logs to Amazon S3. Cribl Stream can ingest them directly through the SQS/S3 integration, so the options below are not required. By leveraging Cribl Stream, you can optimize these data sources by routing only the most important events to your SIEM, while sending less critical events to a data lake or S3 bucket for cost-effective archival.
A Smarter Architecture with Cribl
The opportunity here is to rethink the pipeline. Instead of forcing all logs through KDS + Lambda + Firehose, customers can simplify the flow:
Option 1: Cribl Edge + Cribl Stream
Deploy Cribl Edge on EKS and EC2 instances to collect logs directly with a vendor agnostic agent.
Send those logs to Cribl Stream, which then routes them to S3 and Datadog.
This bypasses CloudWatch Logs entirely—avoiding the $30K monthly logging bill.
Option 2: Firehose + S3 + Cribl Stream for CloudWatch logs
Use Kinesis Data Firehose (KDF) to deliver CloudWatch logs (with subscription filters) directly into a short-term S3 bucket.
Cribl Stream consumes from that bucket via SQS queues & S3, performs any needed transformations, enrichments, or filtering, and then fans data out to long-term S3 (archival) and Datadog.
No need for KDS or Lambda.
Customer Examples
This isn’t theory—large enterprises are already proving this out:
A Fortune 500 customer removed significant reliance on KDS by re-architecting their pipeline with Cribl, saving millions in the process. They uncovered hidden costs in their CloudWatch + KDS setup and replaced it with Edge + Stream for cost savings and resiliency.
A Fortune 100 customer followed a similar approach and is sharing more details at CriblCon, focusing on enhanced observability and partitioned access to logs via Cribl Search.
The pattern is clear:
Collect once (via Cribl Edge or Cloud-native sources)
Optimize early (filter, enrich, transform in Stream)
Send to multiple destinations (Datadog, S3, SIEM, etc.)
All while dramatically reducing the cost and complexity of managing log pipelines in AWS.
The Benefits Beyond Cost Savings
While cost savings often kick off the conversation, customers quickly realize additional value in moving from KDS to Cribl:
Resiliency: SQS + S3 patterns with Cribl Stream provide reliable buffering and delivery.
Visibility: Cribl’s UI and Live Capture let teams see and interact with their telemetry in flight—something AWS services don’t provide out of the box.
Flexibility: Collect once, route to many destinations without duplicating ingestion costs.
Optimization: Filter out noise, reshape logs, and control volume before sending to high-cost destinations like Datadog.
Key Takeaway
If your organization is paying six figures annually to AWS for Kinesis Data Streams just to shuttle logs around, it may be time to rethink your pipeline. By combining Cribl Stream and Cribl Edge, you can:
Eliminate or drastically reduce KDS costs
Cut CloudWatch logging expenses
Simplify the management of these sources of data
Gain visibility and control over your data
Build a more resilient and flexible pipeline
Our team would love to share real-world architectures and customer stories with you. Even better—join the Cribl Community Slack to connect directly with peers, swap ideas, and get hands-on insights from practitioners solving the same challenges.
