CloudWatch has no retention period

ID

aws_cloudwatch_retention_period

Severity

info

Vendor

AWS

Resource

Logging

Tags

non-reachable

Description

CloudWatch has no retention period. By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day. Valid values are: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]

To fix it you must configure retention property.

Learn more about this topic at AWS Customize retention.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.cloudwatchlogs_log_group:
        log_group_name: test-log-group

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.cloudwatchlogs_log_group:
        log_group_name: test-log-group
        retention: 14