Cloudwatch Loggroup Retention Period Should Be Reviewed

More Info:

This rule checks if an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.

Risk Level

Medium

Address

Configuration

Compliance Standards

SOC2,HIPAA,GDPR,NISTCSF,PCIDSS,RBI_MD_ITF,RBI_UCB

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the CloudWatch Loggroup retention period misconfiguration in AWS using the AWS CLI, follow these steps:

List all the CloudWatch log groups to identify the ones with retention periods that need to be reviewed:

aws logs describe-log-groups

Identify the log group for which you want to update the retention period.
Update the retention period for the identified log group using the following command:

aws logs put-retention-policy --log-group-name YOUR_LOG_GROUP_NAME --retention-in-days YOUR_RETENTION_PERIOD

Replace YOUR_LOG_GROUP_NAME with the name of the log group you want to update and YOUR_RETENTION_PERIOD with the desired retention period in days.For example, to set the retention period of a log group named “my-log-group” to 30 days, you would run:

aws logs put-retention-policy --log-group-name my-log-group --retention-in-days 30

Verify that the retention period has been updated successfully by describing the log group again:

aws logs describe-log-groups --log-group-name YOUR_LOG_GROUP_NAME

By following these steps, you can remediate the CloudWatch Loggroup retention period misconfiguration in AWS using the AWS CLI.

Using Python

To remediate the CloudWatch Loggroup retention period misconfiguration in AWS using Python, follow these steps:

Install the AWS SDK for Python (Boto3) if you haven’t already:

pip install boto3

Use the following Python script to update the retention period for the CloudWatch Loggroup:

import boto3

# Initialize the CloudWatch Logs client
client = boto3.client('logs')

# Specify the Log Group name and the desired retention period in days
log_group_name = 'YOUR_LOG_GROUP_NAME'
retention_days = YOUR_DESIRED_RETENTION_DAYS

# Update the retention policy for the Log Group
response = client.put_retention_policy(
    logGroupName=log_group_name,
    retentionInDays=retention_days
)

print(f"Retention period for Log Group {log_group_name} updated to {retention_days} days.")

Replace 'YOUR_LOG_GROUP_NAME' with the name of the CloudWatch Log Group you want to update and YOUR_DESIRED_RETENTION_DAYS with the desired retention period in days.
Run the Python script to update the retention period for the specified CloudWatch Log Group.

After following these steps, the retention period for the specified CloudWatch Log Group will be updated to the desired value, remediating the misconfiguration.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudwatch Loggroup Retention Period Should Be Reviewed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation