CloudWatch Log Group is not publicly accessible
cloudwatch_log_group_not_publicly_accessible
CloudWatch Log Groups with resource policies that grant access to any principal are identified. Statements using Principal:"*" or wildcard Resource that reference a log group ARN indicate that the log group is exposed through a public policy.
Risk
Public access to log groups enables unauthorized reading of logs, revealing secrets and operational metadata, harming confidentiality. If broad actions are allowed, attackers can modify subscriptions or logs, undermining integrity and disrupting availability of audit evidence.
prowler aws --checks cloudwatch_log_group_not_publicly_accessible
Recommendation
Remove public access from log group resource policies. Replace Principal:"*" and Resource:"*" with narrowly scoped principals and specific ARNs. Grant only necessary actions, apply conditions to constrain use, and enforce least privilege and separation of duties with regular policy reviews.
Remediation
aws logs delete-resource-policy --policy-name <policy-name>
- Open the CloudWatch console
- Go to Logs > Resource policies
- Select the policy that exposes your log groups (Principal set to "" or Resource "")
- Click Delete and confirm
Source Code
Resource Type
Other