Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days
Description
Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches. We recommend your Network Security Group (NSG) Flow Log Retention Period is set to greater than or equal to 90 days.
Code Example
go
resource "azurerm_network_watcher_flow_log" "test" {
...
+ retention_policy {
+ enabled = true
+ days = <90 or greater>
}
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * Network Watcher* > * Logs* section.
. Select the * NSG flow logs* blade.
. For each Network Security Group in the list: a) Set * Status* to * On*. + b) Set * Retention (days)* to * greater than 90 days*. + c) In * Storage account* select your storage account. + d) Click * Save*.
- CLI Command*
To enable the * NSG flow logs * and set the * Retention (days)* to * greater than or equal to 90 days*, use the following command:
az network watcher flow-log configure --nsg & lt;NameorID of the Network Security Group> --enabled true --resource-group & lt;resourceGroupName> --retention 91 --storage-account & lt;NameorID of the storage account to save flow logs>
=== Fix - Buildtime
Terraform
- Resource: azurerm_network_watcher_flow_log
- Arguments: days
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0523 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_12 |