AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Cloudwatch Loggroup Retention Period Should Be Reviewed
More Info:
This rule checks if an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
Risk Level
Medium
Address
Configuration
Compliance Standards
SOC2,HIPAA,GDPR,NISTCSF,PCIDSS,RBI_MD_ITF,RBI_UCB
Triage and Remediation
Remediation
To remediate the misconfiguration of CloudWatch Log Group retention period in AWS, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and login to your account.
-
Navigate to CloudWatch: Click on the “Services” dropdown at the top of the page, search for “CloudWatch” in the search bar, and click on the CloudWatch service.
-
Select Log Groups: In the CloudWatch dashboard, click on “Log groups” in the left-hand menu to view all the log groups in your account.
-
Find the Log Group: Locate the log group for which you want to review or update the retention period. You can use the search bar to find the log group quickly.
-
Update Retention Period:
- Click on the log group name to open the log group details.
- In the log group details page, click on the “Edit” button next to the “Retention settings” section.
- Update the retention period as per your requirements. You can choose a value between 1 day to 10 years or select “Never Expire” if you want to retain logs indefinitely.
- Click on the “Save changes” button to apply the new retention period.
-
Verify the Changes: Once you have updated the retention period, you can verify the changes by checking the “Retention settings” section in the log group details.
By following these steps, you can remediate the misconfiguration of the CloudWatch Log Group retention period in AWS using the AWS Management Console.
To remediate the CloudWatch Loggroup retention period misconfiguration in AWS using the AWS CLI, follow these steps:
- List all the CloudWatch log groups to identify the ones with retention periods that need to be reviewed:
aws logs describe-log-groups
-
Identify the log group for which you want to update the retention period.
-
Update the retention period for the identified log group using the following command:
aws logs put-retention-policy --log-group-name YOUR_LOG_GROUP_NAME --retention-in-days YOUR_RETENTION_PERIOD
Replace YOUR_LOG_GROUP_NAME with the name of the log group you want to update and YOUR_RETENTION_PERIOD with the desired retention period in days.
For example, to set the retention period of a log group named “my-log-group” to 30 days, you would run:
aws logs put-retention-policy --log-group-name my-log-group --retention-in-days 30
- Verify that the retention period has been updated successfully by describing the log group again:
aws logs describe-log-groups --log-group-name YOUR_LOG_GROUP_NAME
By following these steps, you can remediate the CloudWatch Loggroup retention period misconfiguration in AWS using the AWS CLI.
To remediate the CloudWatch Loggroup retention period misconfiguration in AWS using Python, follow these steps:
- Install the AWS SDK for Python (Boto3) if you haven’t already:
pip install boto3
- Use the following Python script to update the retention period for the CloudWatch Loggroup:
import boto3
# Initialize the CloudWatch Logs client
client = boto3.client('logs')
# Specify the Log Group name and the desired retention period in days
log_group_name = 'YOUR_LOG_GROUP_NAME'
retention_days = YOUR_DESIRED_RETENTION_DAYS
# Update the retention policy for the Log Group
response = client.put_retention_policy(
logGroupName=log_group_name,
retentionInDays=retention_days
)
print(f"Retention period for Log Group {log_group_name} updated to {retention_days} days.")
-
Replace
'YOUR_LOG_GROUP_NAME'with the name of the CloudWatch Log Group you want to update andYOUR_DESIRED_RETENTION_DAYSwith the desired retention period in days. -
Run the Python script to update the retention period for the specified CloudWatch Log Group.
After following these steps, the retention period for the specified CloudWatch Log Group will be updated to the desired value, remediating the misconfiguration.