terraform.aws.best-practice.missing-cloudwatch-log-group-retention.missing-cloudwatch-log-group-retention
semgrep
Author
unknown
Download Count*
License
The AWS CloudWatch Log group is missing log retention time. By default, logs are retained indefinitely. Add retention_in_days = <integer>
to your resource block.
Run Locally
Run in CI
Defintion
rules:
- id: missing-cloudwatch-log-group-retention
patterns:
- patterns:
- pattern: resource "aws_cloudwatch_log_group" $ANYTHING {...}
- pattern-not-inside: |
resource "aws_cloudwatch_log_group" $ANYTHING {
...
retention_in_days = ...
...
}
message: The AWS CloudWatch Log group is missing log retention time. By default,
logs are retained indefinitely. Add `retention_in_days = <integer>` to
your resource block.
languages:
- hcl
severity: WARNING
metadata:
technology:
- aws
- terraform
category: best-practice
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
missing-cloudwatch-log-group-retention.tf
# ruleid: missing-cloudwatch-log-group-retention
resource "aws_cloudwatch_log_group" "fail" {}
# ok: missing-cloudwatch-log-group-retention
resource "aws_cloudwatch_log_group" "pass" {
retention_in_days = 3
}
Short Link: https://sg.run/Nw1G