In my production account I have multiple cloudwatch log groups which should not be deleted under any circumstances. I could not find any strait forward way to do this. Appreciate your support if there a way I can do this.
Question posted in Amazon Web Sevices
The official Amazon Web Services documentation can be found here.
2
Answers
By setting up a retention policy that ensures logs are never deleted, they can be protected via a retention policy.Further more details checkout this link Retention Policy Cloud Watch
You have three options.
First, you can define granular access to those log groups, and simply not grant the
DeleteLogGrouppermission. This is, IMO, the best approach.Second, you can create a permissions boundary, which is attached to all of the IAM users/roles that can access the log groups in question, and denies the
DeleteLogGrouppermission. The drawback to permissions policies is that you have to apply them everywhere.Third, if you have set up an organization, you can create a service control policy that explicitly denies
DeleteLogGroupfor those log groups. Apply this to the account(s), and nobody, not even the root user, will be able to delete the group(s).If you go with the third option, be sure to read through the documentation on AWS Organizations. One thing that AWS recommends is that the organization root account not be used for any workloads, so you should create a new account to serve as the organization root and invite your current account.