Log Group Retention Period Rule
This rule specifies that the log group retention period must be set to a minimum of 365 days.
| Rule | Log group retention period should be at least 365 days |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description
The log group retention period should be set to a minimum of 365 days to comply with the NIST 800-53 Revision 5 security standards. This rule ensures that log data remains available for an extended period, allowing for effective auditing, troubleshooting, and forensic analysis of any security incidents.
Troubleshooting Steps
If the log group retention period is not set to at least 365 days, you may encounter the following issues:
- 1.
Insufficient log data for investigation: In the event of a security incident or anomaly, having access to historical log data is crucial for identifying the root cause and effectively mitigating any potential risks. Insufficient log retention could lead to a lack of evidence, hindering detailed investigation and making it difficult to determine the extent of the incident.
- 2.
Compliance non-compliance: NIST 800-53 Revision 5 requires a minimum log retention period of 365 days. Failure to meet this requirement may result in non-compliance with regulatory standards, leading to potential penalties, legal issues, and damage to the organization's reputation.
Necessary Code/Configuration
To ensure the log group retention period complies with the NIST 800-53 Revision 5 standards, you can use the following code/configuration:
- AWS CloudWatch Logs
- Configure the log group retention period to be at least 365 days using the AWS Command Line Interface (CLI) or AWS Management Console.
Step-by-Step Guide for Remediation
To set the log group retention period to at least 365 days for AWS CloudWatch Logs, follow these step-by-step instructions:
- 1.
AWS Management Console a) Sign in to the AWS Management Console. b) Navigate to the CloudWatch service. c) Select "Log groups" from the left-hand menu. d) Choose the relevant log group for which you want to adjust the retention period. e) Click on the "Actions" dropdown menu and select "Edit retention". f) Enter "365" in the retention period field. g) Click "Save changes" to apply the new retention period.
- 2.
AWS CLI a) Open command prompt or terminal and ensure that you have the AWS CLI installed and configured. b) Run the following command to set the log group retention period:
aws logs put-retention-policy --log-group-name <log-group-name> --retention-in-days 365Replace
with the name of your desired log group.<log-group-name>
By following the above steps, you will set the log group retention period to match or exceed the required 365 days specified by the NIST 800-53 Revision 5 standard. This ensures compliance, enables effective auditing, and provides necessary data for troubleshooting and forensic analysis during security incidents.