CloudWatch Without Retention Period Specified

  • Query id: ef0b316a-211e-42f1-888e-64efe172b755
  • Query name: CloudWatch Without Retention Period Specified
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

AWS CloudWatch Log groups should have retention days specified
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_cloudwatch_log_group" "positive1" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }
}

resource "aws_cloudwatch_log_group" "positive2" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }

  retention_in_days = 0
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_cloudwatch_log_group" "negative1" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }

  retention_in_days = 1
}