terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention
semgrep
Author
unknown
Download Count*
License
The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.
Run Locally
Run in CI
Defintion
rules:
- id: aws-cloudwatch-log-group-no-retention
patterns:
- pattern: |
resource "aws_cloudwatch_log_group" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_cloudwatch_log_group" $ANYTHING {
...
retention_in_days = ...
...
}
message: The AWS CloudWatch Log Group has no retention. Missing retention in log
groups can cause losing important event information.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-cloudwatch-log-group-no-retention.tf
resource "aws_cloudwatch_log_group" "pass" {
retention_in_days = 3
}
# ruleid: aws-cloudwatch-log-group-no-retention
resource "aws_cloudwatch_log_group" "fail" {}
Short Link: https://sg.run/4lwl