CloudWatch without retention period specified

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudWatch without retention period specified

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: terraform-aws-cloudwatch-without-retention-period-specified

Cloud Provider: AWS

Platform: Terraform

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

CloudWatch log groups in AWS should explicitly specify the retention_in_days attribute to control how long log data is stored. If this attribute is omitted or set to 0, as shown below, logs are retained indefinitely, increasing storage costs and the risk of sensitive data exposure over time:

resource "aws_cloudwatch_log_group" "example" {
  name = "application-logs"
  retention_in_days = 0
}

A secure configuration, specifying retention_in_days, ensures log data is automatically deleted after the defined period, reducing unnecessary data retention and helping meet compliance requirements:

resource "aws_cloudwatch_log_group" "example" {
  name = "application-logs"
  retention_in_days = 7
}

Compliant Code Examples

resource "aws_cloudwatch_log_group" "negative1" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }

  retention_in_days = 1
}

Non-Compliant Code Examples

resource "aws_cloudwatch_log_group" "positive1" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }
}

resource "aws_cloudwatch_log_group" "positive2" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }

  retention_in_days = 0
}