Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

CloudFormation static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your CLOUDFORMATION code

"Log Groups" should be configured with a retention policy

Code Smell

CriticalSonarSource default severity
click to learn more

Why is this an issue?

Inadequately configured "Log Groups" can lead to indefinite storage of log streams on AWS, resulting in potential cost implications and non-compliance with data retention policies. It’s crucial to set the appropriate retention policy for AWS::Logs::LogGroup by defining the RetentionInDays property with a valid value.

What is the potential impact?

Properly managing log data is essential for effective system monitoring, troubleshooting, and security auditing. The failure to configure a retention policy for "Log Groups" in AWS can have several detrimental consequences.

Unnecessary Cost: Log events stored indefinitely result in increased storage costs over time. AWS charges for data storage, and retaining unnecessary logs can lead to higher expenses that could have been avoided.

Non-compliance: Many industries and organizations are bound by strict data retention policies and regulatory requirements. Failing to enforce a retention period for logs may lead to violations, penalties, or legal issues.

Security Risks: Keeping logs indefinitely exposes sensitive information to potential breaches. Storing unnecessary data for an extended period increases the attack surface and the potential impact of a security incident.

Operational Inefficiency: The absence of a proper retention policy makes it harder to manage log data effectively. Over time, log management tasks become more complex, requiring additional effort and resources.

Note: This rule doesn’t check if the value provided to RetentionInDays is valid because AWS CloudFormation Linter (cfn-lint) does it already

How to fix it

Ensure that each AWS::Logs::LogGroup resource includes the RetentionInDays property. Set this property to a valid value that aligns with your organization’s data retention policies and regulatory requirements.

Choose an appropriate value for the retention based on your specific use case. Consider factors such as compliance regulations, data analysis needs, and storage cost considerations. For example, setting the value to 30 days may strike a balance between retaining sufficient data for analysis and avoiding unnecessary storage costs.

Code examples

Noncompliant code example

  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: nodejs12.x
      Description: Example of Lambda Function

  MyFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]

Compliant solution

  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: nodejs12.x
      Description: Example of Lambda Function

  MyFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]]
      RetentionInDays: 30

Resources

AWS Documentation AWS::Logs::LogGroup

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted