AWS CloudWatch Log groups not configured with definite retention days
Description
Enabling CloudWatch retention establishes how long log events are kept in AWS CloudWatch Logs. Retention settings are assigned to CloudWatch log groups and the retention period assigned to a log group is applied to their log streams. Any data older than the current retention setting is deleted automatically. You can change the log retention for each log group at any time. Log data is stored in CloudWatch Logs indefinitely by default, l. This may incur high unexpected costs, especially when combined with other forms of logging. We recommend you configure how long to store log data for in a log group to balance cost with compliance retention requirements.
Code Example
{
" put-retention-policy
--log-group-name & lt;value>
--retention-in-days & lt;value>
[--cli-input-json & lt;value>]
[--generate-cli-skeleton & lt;value>]
",
}Remediation
- AWS Console*
Procedure:
. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
. Open the https://console.aws.amazon.com/cloudwatch/ [Amazon CloudWatch console].
. In the navigation pane, choose* Log Groups**.
. Find the log group to update.
. In the * Expire Events After* column for that log group, choose the current retention setting, such as Never Expire.
. In * Edit Retention*, for Retention, choose a log retention value, then click * Ok*.
- CLI Command*
Sets the retention of the specified log group. A retention policy allows you to configure the number of days for which to retain log events in the specified log group.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0119 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_66 |