COST FINDING
CloudWatch logs retained forever
A practical example of an AWS audit finding: log groups without a retention policy keep data forever, which can turn routine application logs into a silent recurring cost.
What is a CloudWatch Log Group?
CloudWatch Log Groups store logs from AWS services and applications: Lambda functions, ECS tasks, API Gateway, custom application logs, deployment jobs, and more. Each log group contains log streams, and each stream contains log events.
The finding
Some log groups have no retention policy. In AWS, that means logs are retained indefinitely. This often happens when services create log groups automatically and nobody revisits the defaults.
Why it matters
Logs are useful, but old noisy logs can become expensive and difficult to govern. Indefinite retention can increase storage cost, preserve sensitive operational data longer than needed, and make cleanup harder later.
How to detect it
Find log groups with no retention policy:
aws logs describe-log-groups --query "logGroups[?retentionInDays==null].[logGroupName,storedBytes]" --output tableHow to fix it manually
After confirming the right retention period for the environment, apply a retention policy to the existing log group:
aws logs put-retention-policy --log-group-name "/aws/lambda/my-function" --retention-in-days 30How our CDK building block prevents it
For new infrastructure, the fix should live in code so the setting does not drift. Our LogGroup building block sets a one-month retention default and supports KMS encryption when logs are sensitive.
new LogGroup(this, 'AppLogs', {
retention: logs.RetentionDays.ONE_MONTH,
appId: 'billing-api',
owner: 'platform',
env: 'prod',
});Audit takeaway
During an AWS Account Audit, we list log groups without retention, estimate where the risk is meaningful, recommend retention by environment, fix existing resources manually where needed, and move future log groups into IaC.
Book an AWS audit