Inadequately configured "Log Groups" can lead to indefinite storage of log streams on AWS, resulting in potential cost implications and
non-compliance with data retention policies. It’s crucial to set the appropriate retention policy for AWS::Logs::LogGroup by defining the
RetentionInDays property with a valid value.
What is the potential impact?
Properly managing log data is essential for effective system monitoring, troubleshooting, and security auditing. The failure to configure a
retention policy for "Log Groups" in AWS can have several detrimental consequences.
Unnecessary Cost: Log events stored indefinitely result in increased storage costs over time. AWS charges for data storage, and retaining
unnecessary logs can lead to higher expenses that could have been avoided.
Non-compliance: Many industries and organizations are bound by strict data retention policies and regulatory requirements. Failing to enforce a
retention period for logs may lead to violations, penalties, or legal issues.
Security Risks: Keeping logs indefinitely exposes sensitive information to potential breaches. Storing unnecessary data for an extended period
increases the attack surface and the potential impact of a security incident.
Operational Inefficiency: The absence of a proper retention policy makes it harder to manage log data effectively. Over time, log management tasks
become more complex, requiring additional effort and resources.
Note: This rule doesn’t check if the value provided to RetentionInDays is valid because AWS CloudFormation Linter (cfn-lint) does it
already
