AWS CloudWatch log groups retention set to less than 365 days
Description
This policy is checking to ensure that CloudWatch log groups in AWS are set to retain logs for at least one year. Logging is a crucial aspect of maintaining a secure and reliable environment in systems. Logs can provide valuable insights into system operations, errors, access, usage patterns and potential security incidents. If a log group in CloudWatch is not configured to retain logs for a certain period of time, important data could be lost. In some cases, regulations and standards may also require logs to be retained for specific periods. Failing to retain logs for at least one year could hinder system troubleshooting, vulnerability detection, auditing, and compliance verification.
Code Example
resource "aws_cloudwatch_log_group" "example" {
name = "example"
retention_in_days = 365
}Remediation
Terraform
- Resource: aws_cloudwatch_log_group
- Arguments: retention_in_days
To fix the issue, you should add a retention_in_days attribute to your aws_cloudwatch_log_group resource and set its value to at least 365 to retain logs for one year as follows:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0385 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_338 |