Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Web-Tier CloudWatch Log Group Retention Period

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your web-tier CloudWatch log group has the retention period feature configured in order to establish how long log events are kept in AWS CloudWatch Logs. Just like metric filters, retention settings are assigned to CloudWatch log groups and the retention period assigned to a log group is applied to their log streams as well. This conformity rule assumes that the AWS CloudWatch log group created for your web tier is using the following naming convention: <web_tier_log_group>. Prior to running this rule by the Cloud Conformity engine, the name and the retention settings (i.e. retention period) of the web-tier log group need to be defined in the rule settings, on your Cloud Conformity account dashboard.

Security
Operational
excellence
Cost
optimisation

The Amazon CloudWatch log group created for the web tier may require different retention settings than other log groups available, as the retention period depends on the operational and regulatory constraints applied to the specified group. Also, if the retention period for the web-tier log group is not configured, the logging data will be retained indefinitely and the service cost will increase.

Note: Make sure that you replace all <web_tier_log_group> placeholders found in the conformity rule content with the name of your own log group created for the web tier.

Audit

To determine if your web-tier CloudWatch log group has a retention period configured, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Configure Web-Tier CloudWatch Log Group Retention Period conformity rule settings, copy the name defined for your web-tier CloudWatch log group (e.g. <web_tier_log_group>) and note the log retention period configured for the group.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs to access the log groups created in the current AWS region.

05 Paste the name of your web-tier CloudWatch log group, copied at step no. 1 (e.g. <web_tier_log_group>), into the Log Group Name Prefix search box and press Enter. If the search process returns no results, there is no web-tier CloudWatch log group available within the selected AWS region and the audit process ends here (see this rule to create your own web-tier log group). If a CloudWatch log group is returned as result, the selected resource is a web-tier log group and the audit process continues with the next step.

06 Choose the web-tier CloudWatch log group that you want to examine and check the log retention period value available within Expire Events After column. If the retention period is set to Never Expire or the value does not match the one configured in the conformity rule settings, identified at step no. 1, the retention settings for the selected web-tier CloudWatch log group are not compliant.

07 Change the AWS region from the navigation bar and repeat step no. 5 and 6 to verify the retention settings for web-tier log groups available within other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Configure Web-Tier CloudWatch Log Group Retention Period conformity rule settings and copy the name defined for your web-tier CloudWatch log group (e.g. <web_tier_log_group>) and note the log retention period configured for the log group.

02 Run describe-log-groups command (OSX/Linux/UNIX) using custom query filters to describe the configuration information for the specified web-tier CloudWatch log group. Replace <web_tier_log_group> with the name of your own web-tier log group copied at the previous step: 

aws logs describe-log-groups
	--region us-east-1
	--query "logGroups[?logGroupName == '<web_tier_log_group>']"

03 The command request should return one of the following outputs:

  1. If the describe-log-groups command output returns an empty array (i.e. []), as shown in the example below, there is no web-tier CloudWatch log group available in the selected AWS region, therefore the audit process for the selected resource ends here (see this rule to create your own web-tier CloudWatch log group): 
    []
  2. If the command output returns the log group configuration details, the selected CloudWatch resource is a web-tier log group and the audit process continues with the next step: 
    [
    {
        "arn": "arn:aws:logs:us-east-1:123456789012:log-group::*",
        "creationTime": 1522177312884,
        "metricFilterCount": 0,
        "logGroupName": "",
        "storedBytes": 314
    }
]

04 Run describe-log-groups command (OSX/Linux/UNIX) using the name of the web-tier log group identified at the previous step and custom query filters to get the retention period (i.e. the number of days to retain the log events) for the selected web-tier CloudWatch log group. Replace <web_tier_log_group> with the name of your own web-tier log group copied at step no. 1: 

aws logs describe-log-groups
	--region us-east-1
	--log-group-name-prefix <web_tier_log_group>
	--query "logGroups[*].retentionInDays"

05 The command output should return the log retention period for the specified web-tier CloudWatch log group (if any): 

[]

If the command output returns an empty array (i.e. []), as shown in the example above, or the value inside the array does not match the one configured in the conformity rule settings, the log retention period for the selected web-tier CloudWatch log group is not compliant.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 to check the retention settings for web-tier log groups available in other regions.

Remediation / Resolution

To set the appropriate log retention period for your web-tier CloudWatch log group, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Configure Web-Tier CloudWatch Log Group Retention Period rule settings and note the retention period defined for your web-tier CloudWatch log group.

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs.

05 Choose the web-tier AWS CloudWatch log group that you want to configure (see Audit section part I to identify the right resource) and click on the value (link) available in the Expire Events After column.

06 Inside Edit Retention dialog box, select the same retention period as the one defined in the rule settings, identified at step no. 1, from the Retention dropdown list, then click Ok to apply the configuration changes.

07 If required, change the AWS region from the navigation bar and repeat step no. 5 and 6 for web-tier log groups available in other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Configure Web-Tier CloudWatch Log Group Retention Period rule settings and note the retention period defined for your web-tier CloudWatch log group.

02 Run put-retention-policy command (OSX/Linux/UNIX) to set the appropriate log retention period for the selected web-tier CloudWatch log group (see Audit section part II to identify the right CloudWatch resource). Replace the --log-group-name and --retention-in-day parameters values with your own values (the command does not return an output): 

aws logs put-retention-policy
	--log-group-name <web_tier_log_group>
	--retention-in-days 3

03 If required, change the AWS region by updating the --region command parameter value and repeat step no. 2 for web-tier CloudWatch log groups available within other regions.

References

Publication date Mar 29, 2018

Related CloudWatchLogs rules