In certain AWS services, implicit creation of Log Groups can lead to unintended consequences when using CloudFormation. Failure to
declare a Log Group within CloudFormation can result in unmanaged resources, impacting both cost and security. To ensure effective
resource management and adherence to best practices, it is crucial to declare the target Log Group within CloudFormation, aligning its
name with AWS conventions.
Implicit creation of Log Groups in certain AWS services poses a significant issue when working with CloudFormation. When a Log Group
is not explicitly declared within CloudFormation, it is automatically generated at runtime. This leads to several potentially dangerous
consequences.
Unmanaged Resources: The automatically created Log Groups are not managed by CloudFormation. As a result, they won’t be removed when
the associated Stack is deleted, leading to a clutter of unused resources over time.
Lack of Configuration Control: Without explicit declaration, essential attributes of the Log Group, such as retention policies, are not managed "as code" within CloudFormation. This means that changes to these attributes can’t be tracked, versioned, or easily replicated.
Cost Implications: The perpetual existence of these auto-generated Log Groups can lead to unexpected and unnecessary costs. Storing
data indefinitely in these logs can inflate storage expenses over time.
Security Concerns: Prolonged retention of log data might conflict with company policies, industry regulations, or best practices for data security and privacy. Data that is intended to be temporary might inadvertently persist due to the lack of proper management.
Regulatory Compliance: Depending on the domain, industry, or region, organizations might be required to adhere to specific data retention and disposal guidelines. The uncontrolled retention of log data could lead to non-compliance issues.
This rule applies to the following resources:
AWS::Lambda::Function AWS::Serverless::Function AWS::ApiGatewayV2::Api AWS::CodeBuild::Project Ensure that you explicitly declare the Log Group resource. Assign it a logical name that aligns with AWS naming conventions and your
application’s requirements.
Depending on your application’s requirements, adjust additional properties of the Log Group, such as retention policies, access
controls, and encryption settings. These properties should be managed within your CloudFormation template to ensure consistency and versioned
control.
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExampleFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs12.x
Description: Example of Lambda Function
Example with a !Ref:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExampleFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs12.x
Description: Example of Lambda Function
ExampleLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref ExampleFunction]]
RetentionInDays: 30
Example with !Sub:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExampleFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs12.x
Description: Example of Lambda Function
ExampleLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub '/aws/lambda/${ExampleFunction}'
RetentionInDays: 30