Skip to main content

aws_cloudwatch_log_group resource

Use the aws_cloudwatch_log_group InSpec audit resource to test properties of a single AWS CloudWatch Log Group.

For additional information, including details on parameters and properties, see the AWS documentation on CloudWatch Logs.

Syntax

Ensure that an aws_cloudwatch_log_group exists

describe aws_cloudwatch_log_group('my_log_group') do
  it { should exist }
end

describe aws_cloudwatch_log_group(log_group_name: 'my_log_group') do
  it { should exist }
end

Parameters

log_group_name (required)

This resource accepts a single parameter, the log group name which uniquely identifies the CloudWatch Log Group. This can be passed either as a string or as a log_group_name: 'value' key-value entry in a hash.

limit (optional)

This resource accepts a single parameter, an integer representing the number of results allowed to return. If not passed, in, this defaults to 1, which will only return the first match to the log_group_name. This can be passed as a limit: 'value' key-value entry in a hash.

Properties

retention_in_days
The number of days to retain the log events in the specified log group.
kms_key_id
The Amazon Resource Name (ARN) of the CMK to use when encrypting log data.
tags
The tags for the log group.

Examples

Test tags on the CloudWatch Log Group:

describe aws_cloudwatch_log_group('my_log_group') do
  its('tags') { should include(:Environment => 'env-name',
                               :Name => 'my_log_group')}
end

AWS Permissions

Your Principal will need the CloudWatchLogs:Client:DescribeLogGroupsResponse and CloudWatchLogs:Client:ListTagsLogGroupResponse actions with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon CloudWatch Logs.

Thank you for your feedback!

×