CloudWatch Without Retention Period Specified

  • Query id: 934613fe-b12c-4e5a-95f5-c1dcdffac1ff
  • Query name: CloudWatch Without Retention Period Specified
  • Platform: Crossplane
  • Severity: Info
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
  name: lg-3
spec:
  forProvider:
    logGroupName: /aws/eks/sample-cluster/cluster
    region: us-east-1
    retentionInDays: 0
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
        kind: LogGroup
        metadata:
          name: lg-4
        spec:
          forProvider:
            logGroupName: /aws/eks/sample-cluster/cluster
            region: us-east-1
            retentionInDays: 0
Positive test num. 2 - yaml file
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
  name: lg-5
spec:
  forProvider:
    logGroupName: /aws/eks/sample-cluster/cluster
    region: us-east-1
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
        kind: LogGroup
        metadata:
          name: lg-6
        spec:
          forProvider:
            logGroupName: /aws/eks/sample-cluster/cluster
            region: us-east-1

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
kind: LogGroup
metadata:
  name: lg-1
spec:
  forProvider:
    logGroupName: /aws/eks/sample-cluster/cluster
    region: us-east-1
    retentionInDays: 1
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1
        kind: LogGroup
        metadata:
          name: lg-2
        spec:
          forProvider:
            logGroupName: /aws/eks/sample-cluster/cluster
            region: us-east-1
            retentionInDays: 1