Amazon CloudWatch

Low CloudWatch Log Retention Period

This plugin ensures that the Amazon CloudWatch Log retention period is set above the configured amount of time.

Risk Level: Low

Description

This plugin ensures that the Amazon CloudWatch Log retention period is set above the configured amount of time. Retention settings determine for what time period the logs will be retained by Amazon CloudWatch. After the retention period is over, the expired logs will be deleted.

Configuration Parameters


Minimum Log Retention Period: This parameter denotes the minimum number of days specified for which the logs must be retained by CloudWatch. An issue will be generated if the configured log retention period is smaller than the specified number.

By default, the value is 90, therefore it will return vulnerability alert for all the CloudWatch logs whose retention period is less than 90 days. 

About the Service

Amazon CloudWatch: Amazon CloudWatch is a monitoring service for developers and Dev Ops Engineers. CloudWatch gives you the actionable information and data you need to monitor your applications, and optimize resource utilization. The logs generated can then be utilized to derive important conclusions in case the system is compromised.

Impact

In case the cloud infrastructure is compromised, CloudWatch serves as an important source to start the investigation. We can derive valuable insights from the logs generated and eventually trace down the trigger event of the attack. Keeping log retention period above a certain time period ensures that several critical information are not lost in the track of time.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon CloudWatch Management Console. You can use this link (https://console.aws.amazon.com/cloudwatch) to navigate directly if already logged in. 
  3. Move to the Log Groups in the Logs section from the left navigation pane.
  4. From the list of log groups, look for the Retention column. If the number of days is less than the specified time period, the vulnerability exists.
  5. Repeat steps 4 to 5 for all the Log Groups you want to investigate.

Steps for Remediation

Ensure CloudWatch logs are retained for the specified period:

  1. Log In to your AWS Console.
  2. Open the Amazon CloudWatch Management Console. You can use this link (https://console.aws.amazon.com/cloudwatch) to navigate directly if already logged in. 
  3. Move to the Log Groups in the Logs section from the left navigation pane.
  4. From the list of log groups, click on the vulnerable Log Group by clicking on its Name.
  5. Choose Edit Retention Settings from the Action menu at the top-right corner. 
  6. Select the appropriate amount from the drop down list and click on Save to modify the settings.
  7. Repeat steps 4 to 5 for all the vulnerable Log Groups.