Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

CloudFormation static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your CLOUDFORMATION code

"Log Groups" should be declared explicitly

consistency - conventional

maintainability

Code Smell

MajorSonarSource default severity
click to learn more

Why is this an issue?

How can I fix it?

More Info

In certain AWS services, implicit creation of Log Groups can lead to unintended consequences when using CloudFormation. Failure to declare a Log Group within CloudFormation can result in unmanaged resources, impacting both cost and security. To ensure effective resource management and adherence to best practices, it is crucial to declare the target Log Group within CloudFormation, aligning its name with AWS conventions.

What is the potential impact?

Implicit creation of Log Groups in certain AWS services poses a significant issue when working with CloudFormation. When a Log Group is not explicitly declared within CloudFormation, it is automatically generated at runtime. This leads to several potentially dangerous consequences.

Unmanaged Resources: The automatically created Log Groups are not managed by CloudFormation. As a result, they won’t be removed when the associated Stack is deleted, leading to a clutter of unused resources over time.

Lack of Configuration Control: Without explicit declaration, essential attributes of the Log Group, such as retention policies, are not managed "as code" within CloudFormation. This means that changes to these attributes can’t be tracked, versioned, or easily replicated.

Cost Implications: The perpetual existence of these auto-generated Log Groups can lead to unexpected and unnecessary costs. Storing data indefinitely in these logs can inflate storage expenses over time.

Security Concerns: Prolonged retention of log data might conflict with company policies, industry regulations, or best practices for data security and privacy. Data that is intended to be temporary might inadvertently persist due to the lack of proper management.

Regulatory Compliance: Depending on the domain, industry, or region, organizations might be required to adhere to specific data retention and disposal guidelines. The uncontrolled retention of log data could lead to non-compliance issues.

This rule applies to the following resources:

AWS::Lambda::Function
AWS::Serverless::Function
AWS::ApiGatewayV2::Api
AWS::CodeBuild::Project

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted