Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

App-Tier CloudWatch Log Group Retention Period

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your app-tier CloudWatch log group has a retention period configured in order to establish how long log events are kept in Amazon CloudWatch Logs. Log retention settings are assigned to CloudWatch log groups and the retention period set for a log group is applied to their log streams as well. This conformity rule assumes that the AWS CloudWatch log group created for your app tier is using the following naming convention: <app_tier_log_group>. Prior to running this rule by the Cloud Conformity engine, the name and the retention period of the app-tier log group need to be defined in the rule settings, on your Cloud Conformity account dashboard.

Security
Operational
excellence
Cost
optimisation

The AWS CloudWatch log group created for the app tier may require different retention settings than other log groups available, as the retention period depends on the operational and regulatory constraints applied to the specified group. Also, if the retention period for the app-tier log group is not configured at all, the logging data will be retained indefinitely and the service cost will increase.

Note: Make sure that you replace all <app_tier_log_group> placeholders found in the conformity rule content with the name of your own log group created for the app tier.

Audit

To determine if your app-tier CloudWatch log group has a retention period, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Configure App-Tier CloudWatch Log Group Retention Period conformity rule settings, copy the name defined for your app-tier CloudWatch log group (e.g. <app_tier_log_group>) and note the log retention period configured for the group.

02 Sign in to the AWS Management Console.

03 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs to access the existing log groups.

05 Paste the name of your app-tier CloudWatch log group, copied at step no. 1 (e.g. <app_tier_log_group>), into the Log Group Name Prefix search box and press Enter. If the search process returns no results, there is no app-tier CloudWatch log group available within the selected AWS region and the audit process stops here (see this rule to create your own app-tier log group). If a CloudWatch log group is returned as result, the selected resource is an app-tier log group and the audit process continues with the next step.

06 Select the app-tier CloudWatch log group that you want to examine and check the log retention period value available in the Expire Events After column. If the retention period is set to Never Expire or the value does not match the one configured in the conformity rule settings, identified at step no. 1, the retention settings for the selected app-tier CloudWatch log group are not compliant.

07 Change the AWS region from the navigation bar and repeat step no. 5 and 6 to verify the retention settings for app-tier log groups available in other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Configure App-Tier CloudWatch Log Group Retention Period conformity rule settings, copy the name defined for your app-tier CloudWatch log group (e.g. <app_tier_log_group>) and note the log retention period configured for the log group.

02 Run describe-log-groups command (OSX/Linux/UNIX) using custom query filters to describe the configuration information for the specified app-tier CloudWatch log group. Replace <app_tier_log_group> with the name of your own app-tier log group copied at the previous step: 

aws logs describe-log-groups
	--region us-east-1
	--query "logGroups[?logGroupName == '<app_tier_log_group>']"

03 The command request should return one of the following outputs:

  1. If the describe-log-groups command output returns an empty array (i.e. []), as shown in the example below, there is no app-tier CloudWatch log group available in the selected AWS region, therefore the audit process for the selected resource ends here (see this rule to create your own app-tier CloudWatch log group): 
    []
  2. If the command output returns the log group configuration details, the selected CloudWatch resource is an app-tier log group and the audit process continues with the next step: 
    [
    {
        "arn": "arn:aws:logs:us-east-1:123456789012:log-group::*",
        "creationTime": 1522177314955,
        "metricFilterCount": 0,
        "logGroupName": "",
        "storedBytes": 204
    }
]

04 Run describe-log-groups command (OSX/Linux/UNIX) using the name of the app-tier log group identified at the previous step and custom query filters to describe the retention period (i.e. the number of days to retain the log events) for the selected app-tier CloudWatch log group. Replace <app_tier_log_group> with the name of your own app-tier log group copied at step no. 1: 

aws logs describe-log-groups
	--region us-east-1
	--log-group-name-prefix <app_tier_log_group>
	--query "logGroups[*].retentionInDays"

05 The command output should return the log retention period for the specified app-tier CloudWatch log group: 

[]

If the command output returns an empty array (i.e. []), as shown in the example above, or the value inside the array does not match the one configured in the conformity rule settings, the log retention period for the selected app-tier CloudWatch log group is not compliant.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 to check the retention settings for app-tier log groups available in other regions.

Remediation / Resolution

To configure the log retention period for your app-tier CloudWatch log group, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Configure App-Tier CloudWatch Log Group Retention Period rule settings and note the retention period defined for your app-tier CloudWatch log group.

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs.

05 Choose the app-tier AWS CloudWatch log group that you want to configure (see Audit section part I to identify the right resource) and click on the value (link) available in the Expire Events After column.

06 Inside Edit Retention dialog box, select the same retention period (days) as the one defined in the rule settings, identified at step no. 1, from the Retention dropdown list, then click Ok to apply the changes.

07 If required, change the AWS region from the navigation bar and repeat step no. 5 and 6 for app-tier log groups available in other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Configure App-Tier CloudWatch Log Group Retention Period rule settings and note the retention period defined for your app-tier CloudWatch log group.

02 Run put-retention-policy command (OSX/Linux/UNIX) to set the log retention period for the selected app-tier CloudWatch log group (see Audit section part II to identify the right AWS CloudWatch resource). Replace the --log-group-name and --retention-in-day parameters values with your own values (the command does not return an output): 

aws logs put-retention-policy
	--log-group-name <app_tier_log_group>
	--retention-in-days 10

03 If required, change the AWS region by updating the --region command parameter value and repeat step no. 2 for app-tier CloudWatch log groups available within other regions.

References

Publication date Mar 28, 2018

Related CloudWatchLogs rules