Rule: Log Group Retention Period
This rule states that log group retention period should be at least 365 days.
| Rule | Log group retention period should be at least 365 days |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
AWS CloudWatch Log Group Retention Policy for NIST 800-53 Revision 5 Compliance
Ensuring that the retention period for log groups in Amazon CloudWatch is set to at least 365 days is important for maintaining NIST 800-53 Revision 5 compliance. This ensures that logs are stored for an adequate amount of time to meet audit and investigation requirements.
Description of the Rule
The rule dictates that all Amazon CloudWatch Log Groups must have a retention policy that saves logs for a minimum of 365 days. This is a security measure to guarantee that log data is available for a sufficient period to support security and compliance audit efforts.
Troubleshooting Steps
If a log group is found not to comply with the 365-day retention policy, the following steps should be taken:
- 1.Identify non-compliant log groups.
- 2.Update the retention policy for each non-compliant log group to at least 365 days.
- 3.Document the changes made for compliance reporting and audits.
Commands for Remediation
Utilize the AWS Command Line Interface (CLI) to identify and update the retention policy of log groups. Here are the step-by-step CLI commands:
Step 1: List All CloudWatch Log Groups
aws logs describe-log-groups --query 'logGroups[].[logGroupName,retentionInDays]'
Step 2: Identify Non-compliant Log Groups
Examine the output from the previous command to identify log groups with a
retentionInDaysStep 3: Update Retention Policy to 365 Days
For each non-compliant log group, run the following command:
aws logs put-retention-policy --log-group-name "YourLogGroupName" --retention-in-days 365
Replace
YourLogGroupNameStep 4: Verify Changes
After updating the log groups, re-run the command from Step 1 to confirm all log groups now have a retention period of at least 365 days.
Compliance Automation
To automate the compliance process, you can implement AWS Config rules or custom Lambda functions to periodically check and enforce the 365-day retention period across all CloudWatch Log Groups.
By following these steps and utilizing the provided CLI commands, you can ensure that all of your AWS CloudWatch Log Groups meet the required retention period for NIST 800-53 Revision 5 compliance. Avoid filler data and focus on the precision of the implementation to ensure a concise and informative process. Additionally, documenting every change and maintaining the automation scripts will benefit SEO by providing regularly updated, relevant content that both users and search engines will value.