Ensure activity log retention is set to 365 days or greater

Error: Activity log retention is set to less than 365 days

Bridgecrew Policy ID: BC_AZR_LOGGING_5
Checkov Check ID: CKV_AZURE_37
Severity: MEDIUM

Activity log retention is set to less than 365 days

Description

A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more, providing time to respond to any incidents.

We recommend you set activity log retention for 365 days or greater.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to the Activity log.
  3. Select Export.
  4. Set Retention (days) to 365 or 0.
  5. Click Save.

CLI Command

To set Activity log Retention (days) to 365 or greater, use the following command:

az monitor log-profiles update 
--name <logProfileName> 
--set retentionPolicy.days=<number of days> retentionPolicy.enabled=true

To store logs for fo
##Terrarever (indefinitely), use the following command:

az monitor log-profiles update 
--name <logProfileName> 
--set retentionPolicy.days=0 retentionPolicy.enabled=false

Fix - Buildtime

Terraform

  • Resource: azurerm_monitor_log_profile
  • Argument: retention policy

Option 1

resource "azurerm_monitor_log_profile" "example" {
    name = "default"
    categories = [
    "Action",
    "Delete",
    "Write",
    ]
    locations = [
    "westus",
    "global",
    ]
+    retention_policy {
+    enabled = true
+    days    = 365
    }
}

Option 2

resource "azurerm_monitor_log_profile" "example" {
    name = "default"
    categories = [
    "Action",
    "Delete",
    "Write",
    ]
    locations = [
    "westus",
    "global",
    ]
+    retention_policy {
+    enabled = false
+    days    = 0
    }
}