45 lines
1.7 KiB
Plaintext
45 lines
1.7 KiB
Plaintext
Log streams created on AWS will stay forever unless the `AWS::Logs::LogGroup` to which they belong to was configured with a retention policy.
|
|
`Log Groups` should have their “RetentionInDays” property set with a valid value to be sure the log events are kept only for the expected duration.
|
|
|
|
When the property is not set, the log events will be kept for ever or will be deleted only when the Log Group is removed.
|
|
|
|
Keeping the logs for ever doesn't come for free: AWS will charge for keeping these logs.
|
|
Also from a security point of view, keeping the data for ever may be not compliant with company policy or regulatory rules.
|
|
|
|
Note: this rule doesn't check if the value provided to "RetentionInDays" is valid because AWS CloudFormation Linter (cfn-lint) do it already
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,cloudformation]
|
|
----
|
|
MyLambdaFunction:
|
|
Type: AWS::Lambda::Function
|
|
Properties:
|
|
Runtime: nodejs12.x
|
|
Description: Example of Lambda Function
|
|
|
|
MyFunctionLogGroup:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
|
|
# Noncompliant: "RetentionInDays" property is not set: logs are kept for ever
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,cloudformation]
|
|
----
|
|
MyLambdaFunction:
|
|
Type: AWS::Lambda::Function
|
|
Properties:
|
|
Runtime: nodejs12.x
|
|
Description: Example of Lambda Function
|
|
|
|
MyFunctionLogGroup:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
|
|
RetentionInDays: 30
|
|
----
|
|
|