Rule: Log group retention period should be at least 365 days
Ensure that log group retention period is set to a minimum of 1 year for compliance.
| Rule | Log group retention period should be at least 365 days |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
The log group retention period must be set to a minimum of 365 days for compliance with NIST 800-171 Revision 2. This rule ensures that log data is retained for a sufficient period, enabling organizations to monitor and investigate security incidents effectively while meeting regulatory requirements.
Troubleshooting Steps:
If the log group retention period is not set to at least 365 days, follow these troubleshooting steps to remediate the issue:
- 1.
Identify the AWS service(s) used for logging: Determine the logging services being used, such as CloudTrail, GuardDuty, VPC Flow Logs, or any other services that generate logs within your AWS environment.
- 2.
Review existing log group retention period: Check the configuration of each log group associated with the logging services identified in step 1. Determine if any log group has a retention period set below 365 days.
- 3.
Adjust log group retention period: For each log group with a retention period below 365 days, modify the retention period to meet the compliance requirement.
Necessary Codes:
- No specific code is provided for this rule. The remediation process involves adjusting the log group retention period through the AWS Management Console or using AWS CLI commands.
Remediation Steps:
- 1.
Identify the AWS service(s) used for logging: Determine the logging services being used within your AWS environment, as mentioned earlier.
- 2.
Access the AWS Management Console: Open the AWS Management Console using your AWS account credentials.
- 3.
Navigate to the logging service: Depending on the logging service used, follow the relevant steps below:
a. For CloudTrail:
- Go to the CloudTrail service page.
- Select the trail that needs adjustment.
- Click on "Edit" trail.
- Increase the value of "Retention (days)" to at least 365.
- Save the changes.
b. For GuardDuty:
- Go to the GuardDuty service page.
- Select the detector that requires modification.
- Click on "Settings" tab.
- Adjust the "Log retention" setting to a minimum of 365 days.
- Save the changes.
c. For VPC Flow Logs, CloudWatch Logs, or other services:
- Go to the CloudWatch service page.
- Select "Logs" from the left-hand menu.
- Choose the log group that needs adjustment.
- Click on "Actions" > "Modify retention" from the top menu.
- Enter the new retention value as at least 365 days.
- Save the changes.
- 4.
Verify the configuration: Once the retention period is adjusted, ensure that the log group(s) now have a retention period of at least 365 days. Repeat the steps for each logging service used to ensure full compliance.
- 5.
Update documentation: Update any relevant documentation or internal policies to reflect the new log group retention period.
Note:
Ensure that the adjusted retention period aligns with your organization's specific needs and compliance requirements.