Ensure log retention policy is set for AWS CloudWatch Log Group

MEDIUM

Description

CloudWatch logs are all kept without deletion by default, however this can become costly over time so many administrators will configure a retention period. It is important to ensure that this is configured with a specific timeframe in accordance with regulatory requirements. This can also be used in conjunction with the archive setting to rotate logs. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

Remediation

In AWS Console -

Sign in to AWS Console and go to the CloudWatch console.
Select Log Groups in the navigation pane.
Select the log group to update.
Select 'Edit retention' and change the log retention value to 120 days.

In Terraform -

In the aws_cloudwatch_log_group resource, set the field retention_in_days to 120 days.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days

Policy Details

Rule Reference ID: AC_AWS_0452

CSP: AWS

Remediation Available: Yes

Domain: Security Best Practices

Resource: aws_cloudwatch_log_group

Resource Category: Logging and Monitoring

Resource Type: CloudWatch

Frameworks

GDPR
HIPAA
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0