72 lines
3.2 KiB
Plaintext
72 lines
3.2 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Inadequately configured "Log Groups" can lead to indefinite storage of log streams on AWS, resulting in potential cost implications and non-compliance with data retention policies.
|
|
It's crucial to set the appropriate retention policy for `AWS::Logs::LogGroup` by defining the `RetentionInDays` property with a valid value.
|
|
|
|
=== What is the potential impact?
|
|
|
|
Properly managing log data is essential for effective system monitoring, troubleshooting, and security auditing.
|
|
The failure to configure a retention policy for "Log Groups" in AWS can have several detrimental consequences.
|
|
|
|
Unnecessary Cost: Log events stored indefinitely result in increased storage costs over time.
|
|
AWS charges for data storage, and retaining unnecessary logs can lead to higher expenses that could have been avoided.
|
|
|
|
Non-compliance: Many industries and organizations are bound by strict data retention policies and regulatory requirements.
|
|
Failing to enforce a retention period for logs may lead to violations, penalties, or legal issues.
|
|
|
|
Security Risks: Keeping logs indefinitely exposes sensitive information to potential breaches.
|
|
Storing unnecessary data for an extended period increases the attack surface and the potential impact of a security incident.
|
|
|
|
Operational Inefficiency: The absence of a proper retention policy makes it harder to manage log data effectively.
|
|
Over time, log management tasks become more complex, requiring additional effort and resources.
|
|
|
|
Note: This rule doesn't check if the value provided to `RetentionInDays` is valid because AWS CloudFormation Linter (cfn-lint) does it already
|
|
|
|
== How to fix it
|
|
|
|
Ensure that each `AWS::Logs::LogGroup` resource includes the `RetentionInDays` property.
|
|
Set this property to a valid value that aligns with your organization's data retention policies and regulatory requirements.
|
|
|
|
Choose an appropriate value for the retention based on your specific use case.
|
|
Consider factors such as compliance regulations, data analysis needs, and storage cost considerations.
|
|
For example, setting the value to 30 days may strike a balance between retaining sufficient data for analysis and avoiding unnecessary storage costs.
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,yaml,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
MyLambdaFunction:
|
|
Type: AWS::Lambda::Function
|
|
Properties:
|
|
Runtime: nodejs12.x
|
|
Description: Example of Lambda Function
|
|
|
|
MyFunctionLogGroup:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,yaml,diff-id=1,diff-type=compliant]
|
|
----
|
|
MyLambdaFunction:
|
|
Type: AWS::Lambda::Function
|
|
Properties:
|
|
Runtime: nodejs12.x
|
|
Description: Example of Lambda Function
|
|
|
|
MyFunctionLogGroup:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
|
|
RetentionInDays: 30
|
|
----
|
|
|
|
== Resources
|
|
|
|
* AWS Documentation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html[AWS::Logs::LogGroup]
|