Why is this an issue?
Log streams created on AWS will stay forever unless the AWS::Logs::LogGroup to which they belong to was configured with a retention
policy. Log Groups should have their “RetentionInDays” property set with a valid value to be sure the log events are kept only for the
expected duration.
When the property is not set, the log events will be kept for ever or will be deleted only when the Log Group is removed.
Keeping the logs for ever doesn’t come for free: AWS will charge for keeping these logs. Also from a security point of view, keeping the data for
ever may be not compliant with company policy or regulatory rules.
Note: this rule doesn’t check if the value provided to "RetentionInDays" is valid because AWS CloudFormation Linter (cfn-lint) do it already
Noncompliant code example
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs12.x
Description: Example of Lambda Function
MyFunctionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
# Noncompliant: "RetentionInDays" property is not set: logs are kept for ever
Compliant solution
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs12.x
Description: Example of Lambda Function
MyFunctionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
RetentionInDays: 30
