Terraform CloudWatch log retention risk
Do not lose evidence by accident.
Log retention changes affect investigations, audit trails, and incident review. This page is static guidance; raw Terraform plans stay local in your workstation or CI.
High-risk signals include lowering retention days, deleting log groups, removing alarms, changing destinations, or shortening retention below policy requirements.
Review checklist
Logging signals
- Retention days decrease or become unset.
- Production log groups are deleted or replaced.
- Metric filters, alarms, or delivery subscriptions are removed.
- Retention no longer matches SOC 2, incident response, or customer contract requirements.
SOC 2 angle
Evidence to keep
Map CloudWatch retention changes to CC7 monitoring, CC8 change management, and evidence completeness. readtheplan can highlight retention decreases from Terraform JSON in your local workflow.
Request pilot setupPlaceholder inbox: pilot-contact@example.com.
FAQ
CloudWatch retention questions
Why is decreasing retention risky?
Shorter retention can remove evidence needed for security investigations, audits, customer requests, and incident timelines.
What should be checked before apply?
Confirm policy minimums, affected environments, alerting impact, and whether older logs are preserved elsewhere before changing retention.