terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention

semgrep

Author

unknown

Download Count*

License

The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-cloudwatch-log-group-no-retention
    patterns:
      - pattern: |
          resource "aws_cloudwatch_log_group" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_cloudwatch_log_group" $ANYTHING {
            ...
            retention_in_days = ...
            ...
          }
    message: The AWS CloudWatch Log Group has no retention. Missing retention in log
      groups can cause losing important event information.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
      cwe:
        - "CWE-320: CWE CATEGORY: Key Management Errors"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-cloudwatch-log-group-no-retention.tf

resource "aws_cloudwatch_log_group" "pass" {
  retention_in_days = 3
}
# ruleid: aws-cloudwatch-log-group-no-retention
resource "aws_cloudwatch_log_group" "fail" {}

Short Link: https://sg.run/4lwl