aws_cloudwatch_log_group

Use the aws_cloudwatch_log_group InSpec audit resource to test properties of a single AWS CloudWatch Log Group.

Syntax

Ensure that an aws_cloudwatch_log_group exists

describe aws_cloudwatch_log_group('my_log_group') do
  it { should exist }
end

describe aws_cloudwatch_log_group(log_group_name: 'my_log_group') do
  it { should exist }
end

Parameters

log_group_name (required)

This resource accepts a single parameter, the log group name which uniquely identifies the CloudWatch Log Group. This can be passed either as a string or as a log_group_name: 'value' key-value entry in a hash.

See also the AWS documentation on CloudWatch Logs.

Properties

Property Description
retentionindays The number of days to retain the log events in the specified log group
kmskeyid The Amazon Resource Name (ARN) of the CMK to use when encrypting log data
tags The tags for the log group.
Test tags on the CloudWatch Log Group
describe aws_cloudwatch_log_group('my_log_group') do
  its('tags') { should include(:Environment => 'env-name',
                               :Name => 'my_log_group')}
end

AWS Permissions

Your Principal will need the logs:DescribeLogGroups and logs:ListTagsLogGroup actions with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon CloudWatch Logs.