Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure Data Retention Period for CloudWatch Logs Log Groups

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon CloudWatch Logs log groups have a retention period of at least 1 year. The retention period feature must be configured to establish how long log events are kept in Amazon CloudWatch Logs. Just like metric filters, retention settings are assigned to log groups and the retention period assigned to a log group is applied to their log streams as well.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Amazon CloudWatch Logs bring together logs from your various systems, applications, and AWS services into one incredibly scalable service. Amazon CloudWatch Logs provides the capability to oversee, retain, and retrieve your log files sources like Amazon EC2 instances, CloudTrail, Route 53, and more. Maintaining log records for a minimum of 1 year can be advantageous in adhering to log retention regulations. Also, if the retention period for a log group is not configured, the log data will be retained indefinitely.

Audit

To determine if your CloudWatch Logs log groups have a retention period of at least 1 year, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console available at https://console.aws.amazon.com/cloudwatch/.

03 In the navigation panel, under Logs, choose Log groups.

04 Click on the name (link) of the log group that you want to examine.

05 Check the Retention attribute value available in the Log group details section to determine the log data retention period configured for the log group. If the Retention period is less than 1 year, the data retention period configured for the selected Amazon CloudWatch Logs log group is not compliant.

06 Repeat steps no. 4 and 5 for each log group available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and perform the Audit process for other regions.

Using AWS CLI

01 Run describe-log-groups command (OSX/Linux/UNIX) to list the name of each Amazon CloudWatch Logs log groups created in the selected AWS cloud region: 

aws logs describe-log-groups
  --region us-east-1
  --output table
  --query "logGroups[*].logGroupName"

02 The command output should return a table with the requested log group names: 

-----------------------------
|     DescribeLogGroups     |
+---------------------------+
|  cc-project5-log-group    |
|  cc-app-access-log-group  |
+---------------------------+

03 Run describe-log-groups command (OSX/Linux/UNIX) using the name of the CloudWatch Logs log group that you want to examine as the identifier parameter and custom query filters to describe the retention period (i.e. the number of days to retain the log events) configured for the selected log group: 

aws logs describe-log-groups
  --region us-east-1
  --log-group-name-prefix cc-api-access-logs
  --query "logGroups[*].retentionInDays"

04 The command output should return the retention period configured for the specified log group: 

[
	7
]

If the retention period returned by the describe-log-groups command output is less than 1 year, as shown in the output example above, the data retention period configured for the selected Amazon CloudWatch Logs log group is not compliant.

05 Repeat steps no. 3 and 4 for each log group available in the selected AWS region.

06 If required, change the AWS cloud region by updating the --region command parameter value and perform the Audit process for other regions.

Remediation / Resolution

To configure the optimal log retention period for your Amazon CloudWatch Logs log groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console available at https://console.aws.amazon.com/cloudwatch/.

03 In the navigation panel, under Logs, choose Log groups.

04 Select the log group that you want to configure, choose Actions, and select Edit retention setting(s).

05 Inside the Retention setting configuration box, select a retention period of at least 12 months (365 days) from the Expire events after dropdown list. Choose Save to apply the configuration changes.

06 Repeat steps no. 4 and 5 for each log group available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.

Using AWS CLI

01 Run put-retention-policy command (OSX/Linux/UNIX) to set up the appropriate log retention period for the selected Amazon CloudWatch Logs log group. Set the --retention-in-day parameter value to a retention period of at least 1 year (the command should not produce an output): 

aws logs put-retention-policy
  --log-group-name cc-project5-log-group
  --retention-in-days 365

02 Repeat step no. 1 for each log group available in the selected AWS region.

03 If required, change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Sep 1, 2023

Related CloudWatchLogs rules