CloudWatch Without Retention Period Specified
- Query id: 934613fe-b12c-4e5a-95f5-c1dcdffac1ff
- Query name: CloudWatch Without Retention Period Specified
- Platform: Crossplane
- Severity: Info
- Category: Observability
- CWE: 778
- URL: Github
Description¶
AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
name: lg-3
spec:
forProvider:
logGroupName: /aws/eks/sample-cluster/cluster
region: us-east-1
retentionInDays: 0
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
name: lg-4
spec:
forProvider:
logGroupName: /aws/eks/sample-cluster/cluster
region: us-east-1
retentionInDays: 0
Positive test num. 2 - yaml file
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
name: lg-5
spec:
forProvider:
logGroupName: /aws/eks/sample-cluster/cluster
region: us-east-1
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
name: lg-6
spec:
forProvider:
logGroupName: /aws/eks/sample-cluster/cluster
region: us-east-1
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
name: lg-1
spec:
forProvider:
logGroupName: /aws/eks/sample-cluster/cluster
region: us-east-1
retentionInDays: 1
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
name: lg-2
spec:
forProvider:
logGroupName: /aws/eks/sample-cluster/cluster
region: us-east-1
retentionInDays: 1