Ensure log retention period of at least 90 days retention period for AWS CloudWatch Log Group

HIGH

Description

CloudWatch logs are all kept without deletion by default, however this can become costly over time so many administrators will configure a retention period. It is important to ensure that this is configured with a specific timeframe in accordance with regulatory requirements; the most common retention period recorded for compliance is 90 days. This can also be used in conjunction with the archive setting to rotate logs. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

Remediation

In AWS Console -

Sign in to AWS Console and go to the CloudWatch console.
Select Log Groups in the navigation pane.
Select the log group to update.
Select 'Edit retention' and change the log retention value to 90 days or more.

In Terraform -

In the aws_cloudwatch_log_group resource, set the field retention_in_days to 90 days or more.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days

Policy Details

Rule Reference ID: AC_AWS_0448

CSP: AWS

Remediation Available: Yes

Domain: Security Best Practices

Resource: aws_cloudwatch_log_group

Resource Category: Logging and Monitoring

Resource Type: CloudWatch

Frameworks

PCI-DSSv4.0
GDPR
HIPAA
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1