Ensure CloudWatch log groups specify retention days

Error: CloudWatch log groups do not specify retention days

Bridgecrew Policy ID: BC_AWS_LOGGING_13
Checkov Check ID: CKV_AWS_66
Severity: LOW

CloudWatch log groups do not specify retention days

Description

Enabling CloudWatch retention establishes how long log events are kept in AWS CloudWatch Logs. Retention settings are assigned to CloudWatch log groups and the retention period assigned to a log group is applied to their log streams. Any data older than the current retention setting is deleted automatically. You can change the log retention for each log group at any time.

Log data is stored in CloudWatch Logs indefinitely by default, l. This may incur high unexpected costs, especially when combined with other forms of logging. We recommend you configure how long to store log data for in a log group to balance cost with compliance retention requirements.

Fix - Runtime

AWS Console

Procedure:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon CloudWatch console.
  3. In the navigation pane, choose Log Groups.
  4. Find the log group to update.
  5. In the Expire Events After column for that log group, choose the current retention setting, such as Never Expire.
  6. In Edit Retention, for Retention, choose a log retention value, then click Ok.

CLI Command

Sets the retention of the specified log group. A retention policy allows you to configure the number of days for which to retain log events in the specified log group.

put-retention-policy
--log-group-name <value>
--retention-in-days <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Fix - Buildtime

Terraform

  • Resource: aws_cloudwatch_log_group
  • Argument: retention_in_days - (Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire.
resource "aws_cloudwatch_log_group" "example" {
  ...
  name = "example"
+ retention_in_days = 90
}

CloudFormation

  • Resource: aws_cloudwatch_log_group
  • Argument: Properties.RetentionInDays - (Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire.
Resources: 
  logGroup:
    Type: AWS::Logs::LogGroup
    Properties: 
      ...
+     RetentionInDays: 90