Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days

Error: Azure Network Watcher NSG flow logs retention is less than 90 days

Bridgecrew Policy ID: BC_AZR_LOGGING_1
Checkov Check ID: CKV_AZURE_12
Severity: MEDIUM

Azure Network Watcher NSG flow logs retention is less than 90 days

Description

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

We recommend your Network Security Group (NSG) Flow Log Retention Period is set to greater than or equal to 90 days.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Network Watcher > Logs section.
  3. Select the NSG flow logs blade.
  4. For each Network Security Group in the list:
    a) Set Status to On.
    b) Set Retention (days) to greater than 90 days.
    c) In Storage account select your storage account.
    d) Click Save.

CLI Command

To enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days, use the following command:

az network watcher flow-log configure 
--nsg <NameorID of the Network Security Group> 
--enabled true 
--resource-group <resourceGroupName> 
--retention 91 
--storage-account <NameorID of the storage account to save flow logs>

Fix - Buildtime

Terraform

  • Resource: azurerm_network_watcher_flow_log
  • Argument: days
resource "azurerm_network_watcher_flow_log" "test" {
  	...
+   retention_policy {
+   enabled = true
+   days    = <90 or greater>
    }
}