Azure Activity Log retention should not be set to less than 365 days
Description
A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more, providing time to respond to any incidents. We recommend you set activity log retention for 365 days or greater.
Code Example
go
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action",
"Delete",
"Write",
]
locations = [
"westus",
"global",
]
+ retention_policy {
+ enabled = true
+ days = 365
}
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to the * Activity log*.
. Select * Export*.
. Set * Retention (days)* to * 365* or * 0*.
. Click * Save*.
- CLI Command*
To set Activity log Retention (days) to * 365 or greater*, use the following command:
az monitor log-profiles update --name & lt;logProfileName> --set retentionPolicy.days=& lt;number of days> retentionPolicy.enabled=true
To store logs for fo
- Terrarever (indefinitely), use the following command:*
az monitor log-profiles update --name & lt;logProfileName> --set retentionPolicy.days=0 retentionPolicy.enabled=false
=== Fix - Buildtime
Terraform
- Resource: azurerm_monitor_log_profile
- Arguments: retention policy
Option 1
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0548 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_37 |