Profile Applicability:

  • Level 1

Description:

CloudWatch Log Groups allow you to define retention policies, which determine how long logs are kept. It is recommended that CloudWatch Log Groups have a retention policy set to a specific duration, in line with your organization’s data retention policy. This ensures that logs are retained for the appropriate period and are automatically deleted when no longer needed, reducing storage costs and maintaining compliance.

Rationale:

By setting an appropriate retention policy, you can ensure that logs are kept only as long as necessary for auditing, security, and compliance purposes. Automatically deleting logs when they are no longer needed minimizes storage costs and reduces the risk of retaining sensitive data longer than necessary.

Impact:

  • Positive Impact: Reduces storage costs and ensures logs are managed in compliance with organizational data retention policies.

  • Negative Impact: Setting the retention policy too short may result in loss of logs needed for audits or troubleshooting.

Default Value:

By default, CloudWatch Log Groups do not have a retention policy set and retain logs indefinitely. This may lead to unnecessary storage costs if logs are not actively managed.

Pre-Requisite:

  • IAM Permissions: Permissions to view and configure CloudWatch Log Groups.

  • AWS Services: CloudWatch Logs.

  • Tools Required: AWS Management Console, AWS CLI.

Remediation:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch console: AWS CloudWatch Console.

  3. In the left navigation pane, click Log Groups.

  4. For each Log Group you want to modify, select the Log Group and choose the Actions dropdown.

  5. Click on Edit Retention.

  6. Select a retention period from the available options, such as 30 days, 90 days, or 1 year.

  7. Click Save Changes to apply the retention policy.

  8. Repeat for each CloudWatch Log Group to ensure retention policies are applied correctly.

Using AWS CLI:

Check the current retention policy for all CloudWatch Log Groups:

aws logs describe-log-groups --query 'logGroups[*].{LogGroupName:logGroupName,RetentionInDays:retentionInDays}'

Set the retention policy for a specific Log Group:

aws logs put-retention-policy --log-group-name <LogGroupName> --retention-in-days <RetentionPeriod>

  1.  Replace <LogGroupName> with the name of the log group and <RetentionPeriod> with the desired number of days (e.g., 30, 60, 365).

  2. Repeat for each Log Group to ensure they have the correct retention policy set.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to CloudWatch → Log Groups.

  3. Select a Log Group and click on Actions → Edit Retention.

  4. Set the Retention Period to the required number of days (e.g., 30 days, 90 days, 1 year).

  5. Save Changes and repeat the process for all other Log Groups.

Using AWS CLI:

Run the describe-log-groups command to check the retention policy of all Log Groups:

aws logs describe-log-groups --query 'logGroups[*].{LogGroupName:logGroupName,RetentionInDays:retentionInDays}'

Set the retention policy for each Log Group:

 aws logs put-retention-policy --log-group-name <LogGroupName> --retention-in-days <RetentionPeriod>

  1.  Replace <LogGroupName> and <RetentionPeriod> with the appropriate values for your environment.

  2. Repeat for each Log Group to ensure all have the desired retention policy.

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch > Log Groups.

  3. Select the log group for which the retention policy was updated.

  4. In the Log Group Details section, locate the Retention Settings.

  5. Revert the retention period by selecting Never Expire or the previously configured retention period.

  6. Save the changes to restore the original configuration.

Using AWS CLI:

Retrieve the current configuration of the log group:

aws logs describe-log-groups --log-group-name-prefix <log-group-name>

Update the log group's retention policy to revert it to the original setting:

aws logs put-retention-policy \
--log-group-name <log-group-name> \
--retention-in-days <original-retention-days>

  1. Verify the updated retention policy:

    aws logs describe-log-groups --log-group-name-prefix <log-group-name>

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

8.5

Collect detailed audit logs and configure retention for log management.

v7

6.3

Enable system logging and configure appropriate retention policies.