aws.log-group

Filters

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

last-write

Filters CloudWatch log groups by last write

example

policies:
  - name: cloudwatch-stale-groups
    resource: log-group
    filters:
      - type: last-write
        days: 60
properties:
  days:
    type: number
  type:
    enum:
    - last-write
required:
- type

Actions

delete

example

policies:
  - name: cloudwatch-delete-stale-log-group
    resource: log-group
    filters:
      - type: last-write
        days: 182.5
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

retention

Action to set the retention period (in days) for CloudWatch log groups

example

policies:
  - name: cloudwatch-set-log-group-retention
    resource: log-group
    actions:
      - type: retention
        days: 200
properties:
  days:
    type: integer
  type:
    enum:
    - retention
required:
- type

set-encryption

Encrypt/Decrypt a log group

example

policies:
  - name: encrypt-log-group
    resource: log-group
    filters:
      - kmsKeyId: absent
    actions:
      - type: set-encryption
        kms-key: alias/mylogkey
        state: True

  - name: decrypt-log-group
    resource: log-group
    filters:
      - kmsKeyId: kms:key:arn
    actions:
      - type: set-encryption
        state: False
properties:
  kms-key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-encryption
required:
- type