CloudWatch Without Retention Period Specified

• Query id: e24e18d9-4c2b-4649-b3d0-18c088145e24
• Query name: CloudWatch Without Retention Period Specified
• Platform: Ansible
• Severity: Info
• Category: Observability
• CWE: 778
• URL: Github

Description

AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: example ec2 group
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
- name: example2 ec2 group
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    retention: 111111

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: example3 ec2 group
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    retention: 5