Skip to main content

aws_cloudwatch_log_group resource

[edit on GitHub]

Use the aws_cloudwatch_log_group InSpec audit resource to test properties of a single AWS CloudWatch Log Group.


Ensure that an aws_cloudwatch_log_group exists

describe aws_cloudwatch_log_group('my_log_group') do
  it { should exist }

describe aws_cloudwatch_log_group(log_group_name: 'my_log_group') do
  it { should exist }


log_group_name (required)

This resource accepts a single parameter, the log group name which uniquely identifies the CloudWatch Log Group. This can be passed either as a string or as a log_group_name: 'value' key-value entry in a hash.

See also the AWS documentation on CloudWatch Logs.


retention_in_daysThe number of days to retain the log events in the specified log group
kms_key_idThe Amazon Resource Name (ARN) of the CMK to use when encrypting log data
tagsThe tags for the log group.

Test tags on the CloudWatch Log Group

describe aws_cloudwatch_log_group('my_log_group') do
  its('tags') { should include(:Environment => 'env-name',
                               :Name => 'my_log_group')}

AWS Permissions

Your Principal will need the logs:DescribeLogGroups and logs:ListTagsLogGroup actions with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon CloudWatch Logs.

Was this page helpful?


Search Results