# Set retention period for CloudWatch Logs

## What It Does

Sets the retention period for CloudWatch Logs. This runbook ensures that logs are retained only for the necessary period, helping reduce unnecessary storage costs while keeping essential logs available for compliance or troubleshooting.

## Risk and Scope

| Detail                   | Value             |
| ------------------------ | ----------------- |
| **Risk Level**           | Low               |
| **AWS Service Targeted** | Amazon CloudWatch |

{% hint style="warning" %}

## Permissions Required

**Modify Permissions**

* `logs:PutRetentionPolicy`

**Read Permissions**

* `logs:DescribeLogGroups`

> These permissions are granted **only to the runbook**, not to the OneLens platform itself.
> {% endhint %}

## Optimization Policies Addressed

This runbook remediates violation tickets triggered by of the following policy:

| Policy ID | Policy Name                                                        |
| --------- | ------------------------------------------------------------------ |
| cw\_103   | CloudWatch log groups should have appropriate log retention period |
| cw\_102   | CloudWatch log groups should have a defined retention period       |

## Risk Mitigation

{% hint style="success" %}

## Risk Mitigation Strategy

* The change is assessed as **low risk** with limited scope and impact.
* **No downtime** is expected during or after implementation.
* **No additional safety measures** are required due to the non-disruptive nature of the change.
* A **rollback plan is not defined**, as standard procedures are sufficient to manage the change.
  {% endhint %}

## How to Install

Refer to the [Runbook Setup Guide ](https://docs.onelens.cloud/automate/remediations/install-runbooks#installing-a-runbook)for steps to install and enable this runbook in your environment.

## Runbook Workflow

### Step 1: Start

**Trigger:** Begins the runbook to identify CloudWatch Logs groups and set the retention periods.

### Step 2: ValidateRetentionPeriod

**Action:** Executes a script to validate the current retention period of the CloudWatch Log group to check whether it matches the desired retention configuration.

### Step 3: If/Else

**Condition:** Checks if the retention period needs to be updated.

1. **If change is required:**
   1. **PutRetentionPolicy**\
      Executes the `PutRetentionPolicy` action to set the appropriate retention period for the log group.
2. **Else:**

* If no change is needed, the workflow terminates without making any modifications.

## See How It Works

<figure><img src="https://3963693991-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiyNGpqVYfmDF6qt7Lzar%2Fuploads%2FnwLqnZ1Ab2EUCvgpKuA9%2FScreenshot%202025-05-13%20at%2015.30.21.png?alt=media&#x26;token=80da08c4-eaf8-4e5f-8d4a-5e53e1abb889" alt=""><figcaption></figcaption></figure>

## Triggering the Runbook

To run this workflow:

### **1. Locate the Ticket**

Identify the ticket associated with the above mentioned policy violation.

### **2. Execute the Runbook**

Follow the steps described in the [executing a runbook](https://docs.onelens.cloud/automate/remediations/runbooks/..#executing-a-runbook) section to apply this runbook to the ticket.