Check whether retentionInDays is set or not

2024-08-08 11:27:06 +09:00 · 2024-08-08 11:27:06 +09:00 · 142352f1ee
commit 142352f1ee
parent f85c15f31d
1 changed files with 5 additions and 3 deletions
--- a/services/cloudwatch.py
+++ b/services/cloudwatch.py
@ -11,11 +11,13 @@ def cw_loggroup_retention_period_check():
    non_compliant_resources = []
    log_groups = logs_client.describe_log_groups()["logGroups"]

+    # This rule should check if `retentionInDays` is less than n days.
+    # But, instead of that, this will check if the retention setting is set to "Never expire" or not
    for log_group in log_groups:
-        if "retentionInDays" in log_group and log_group["retentionInDays"] < 365:
-            non_compliant_resources.append(log_group["logGroupArn"])
-        else:
+        if "retentionInDays" in log_group:
            compliant_resources.append(log_group["logGroupArn"])
+        else:
+            non_compliant_resources.append(log_group["logGroupArn"])

    return RuleCheckResult(
        passed=not non_compliant_resources,