CloudWatch log group has a retention policy of at least the configured minimum days or never expires
cloudwatch_log_group_retention_policy_specific_days_enabled
CloudWatch Log Groups are assessed for a retention period at or above the configured threshold (e.g., 365 days) or for being set to never expire. Log groups with shorter retention are identified.
Risk
Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the availability of historical logs and the integrity of incident timelines.
prowler aws --checks cloudwatch_log_group_retention_policy_specific_days_enabled
Recommendation
Define a minimum retention baseline (e.g., >=365 days) aligned to legal and investigative needs. Apply it consistently with documented exceptions. Automate enforcement, monitor changes, and restrict who can modify retention under least privilege and defense in depth.
Remediation
aws logs put-retention-policy --log-group-name <LOG_GROUP_NAME> --retention-in-days <DAYS>
- In the AWS Console, go to CloudWatch > Log groups
- Select the target log group
- In the Expire events after/Retention column, click the current value
- Choose a retention value >= <DAYS> or select Never expire
- Click Save
Source Code
Resource Type
AwsLogsLogGroup
References
- https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html
- https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html
- https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358
- https://www.blinkops.com/blog/cloudwatch-retention
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html