Triage AWS CloudWatch LogGroups should have a finite retention LOG_RETENTION_NO_LIMIT
Quick Links
- Configure AWS CloudWatch LogGroups should have a finite retention
- Use Case for AWS CloudWatch LogGroups should have a finite retention
- Triage Guides by Violation Type
Why should I care about fixing this issue?
To understand how to evaluate the correct log retention for your use-case, read our use-case page.
What is the data source for this policy?
This policy relies on a call to logs:DescribeLogGroups. If the response does not contain the property retentionInDays, then a violation is opened by the policy.
Does this policy scan on a schedule? If so, when?
No, it's triggered when changes to matching resources are detected.
How do I set a retention policy using AWS Console?
How do I set a retention policy using CloudFormation?
Note that the field is not required and the default value is unlimited.
Type: AWS::Logs::LogGroup
Properties:
+ RetentionInDays: 365
How do I set a retention policy using Terraform?
Note that the field is not required, may not be present, and the default value is 0 (unlimited).
resource "aws_cloudwatch_log_group" "example" {
- retention_in_days = 0
+ retention_in_days = 365
}
How do I set a retention policy using AWS CLI?
aws \
logs put-retention-policy \
--log-group-name /example/log/group \
+ --retention-in-days 365
When is it appropriate to mark this violation as "by design"?
To understand how to evaluate the correct log retention for your use-case, read our use-case page.