search

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
http://aws.amazon.com/config/
Creative Commons Zero v1.0 Universal
1.58k stars 851 forks source link

Adding compliance check for Log Group retention set to 'Never Expire' #395

Closed jakeskyaws closed 7 months ago

jakeskyaws commented 1 year ago

Intro:

The default retention policy on log groups is set to Never Expire.

This setting means that CloudWatch retains data indefinitely. To reduce storage costs, consider changing the retention policy (for example, you can set the retention policy to keep data for 1 week, 1 month, and so on).

Description: Checks whether the AWS CloudWatch Log Group retention period is set to 'Never Expire'. The rule is NON_COMPLIANT if the CloudWatch has a retention period set as 'Never Expire'.

Identifying value to use via the Boto3 SDK.

aws logs describe-log-groups { "logGroups": [ { "logGroupName": "/aws/containerinsights/example, "creationTime": 1665836848562, "metricFilterCount": 0, "arn": "arn:aws:logs:eu-west-2:927431155644:log-group:/aws/containerinsights/example:*", "storedBytes": 58901280 }, { "logGroupName": "/aws/lambda/example", "creationTime": 1666080947451, "retentionInDays": 60, "metricFilterCount": 0, "arn": "arn:aws:logs:eu-west-2:927431155644:log-group:/aws/lambda/example:*", "storedBytes": 0 } }

Testing

Console Testing

  1. setup: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_examples.html

  2. Upload aws-config-rules/python/CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_CHECK/CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_CHECK.py to lambda code source.

  3. Invoke via AWS Config console.

  4. View COMPLIANCE

Screenshot 2022-10-18 at 17 22 37

Unit Tests

➜ pytest CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_test.py --verbose

CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_test.py::ComplianceTest::test_log_group_retention_set_in_days PASSED [ 20%] CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_test.py::ComplianceTest::test_log_group_retention_set_to_never_expire PASSED [ 40%] CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_test.py::ComplianceTest::test_no_loggroups_present PASSED [ 60%] CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_test.py::TestStsErrors::test_sts_access_denied PASSED [ 80%] CLOUDWATCH_LOG_GROUP_RETENTION_NEVER_EXPIRE_test.py::TestStsErrors::test_sts_unknown_error PASSED