Ensure there is an Amazon CloudWatch log group created for the app tier, available in your AWS account. A CloudWatch log group defines a collection of log streams that share the same retention, monitoring, and access control settings. This conformity rule assumes that the AWS CloudWatch log group created for your app tier is using the following naming convention: <app_tier_log_group>. Prior to running this rule by the Cloud Conformity engine, the name of the app-tier log group must be defined in the rule settings, on your Cloud Conformity account dashboard. The retention settings for the app-tier log group can be also configured within the conformity rule settings.
Amazon CloudWatch Logs helps you to aggregate, monitor, and store logs. To send your system and/or application logs to AWS CloudWatch, log groups must be created. Separating the CloudWatch log group destinations on a per tier basis will allow unique settings to be applied on a per group basis for:
- Retention of logs;
- Access controls;
- Export or stream of data to other AWS services such as S3 or Lambda for analysis and/or processing.
Note 1: Make sure that you replace all <app_tier_log_group> placeholders found in the conformity rule content with the name of your own log group created for the app tier.
Note 2: You can use third-party log management tools such as Splunk, Loggly, AlertLogic Log Manager and so on, as long as the recommendation goal is achieved. In this case, the steps outlined in the Audit and Remediation sections must be modified for the chosen log management tool.
To determine if an app-tier CloudWatch log group exists in your AWS account, perform the following actions:
Remediation / Resolution
To create an app-tier CloudWatch log group in your AWS account, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
App-Tier AWS CloudWatch Log Group
Risk level: Medium