CloudWatch Without Retention Period Specified

  • Query id: e24e18d9-4c2b-4649-b3d0-18c088145e24
  • Query name: CloudWatch Without Retention Period Specified
  • Platform: Ansible
  • Severity: Info
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: example ec2 group
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
- name: example2 ec2 group
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    retention: 111111

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: example3 ec2 group
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    retention: 5