v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_cloudwatch_log_group - Query AWS CloudWatch Log Groups using SQL

The AWS CloudWatch Log Group is a resource that encapsulates your AWS CloudWatch Logs. These log groups are used to monitor, store, and access your log events. It allows you to specify a retention period to automatically expire old log events, thus aiding in managing your log data efficiently.

Table Usage Guide

The aws_cloudwatch_log_group table in Steampipe provides you with information about Log Groups within AWS CloudWatch. This table allows you, as a DevOps engineer, to query Log Group-specific details, including the ARN, creation time, stored bytes, metric filter count, retention period, and associated tags. You can utilize this table to gather insights on Log Groups, such as their size, age, and associated metrics. The schema outlines the various attributes of the Log Group for you, including the ARN, creation time, stored bytes, and associated tags.

Examples

List all the log groups that are not encrypted

Identify instances where log groups in AWS CloudWatch are not encrypted. This is beneficial in assessing security measures and ensuring encryption is applied where necessary for data protection.

select
  name,
  kms_key_id,
  metric_filter_count,
  retention_in_days
from
  aws_cloudwatch_log_group
where
  kms_key_id is null;
select
  name,
  kms_key_id,
  metric_filter_count,
  retention_in_days
from
  aws_cloudwatch_log_group
where
  kms_key_id is null;

List of log groups whose retention period is less than 7 days

Determine the areas in your AWS Cloudwatch where log groups are set to retain data for less than a week. This query is useful for identifying potential data loss risks due to short retention periods.

select
  name,
  retention_in_days
from
  aws_cloudwatch_log_group
where
  retention_in_days < 7;
select
  name,
  retention_in_days
from
  aws_cloudwatch_log_group
where
  retention_in_days < 7;

Metric filters info attached log groups

Uncover the details of how your AWS CloudWatch log groups relate to metric filters, providing a comprehensive view of your logging and monitoring setup. This can be helpful in auditing your CloudWatch configurations, ensuring that important log data is being correctly processed and monitored.

select
  groups.name as log_group_name,
  metric.name as metric_filter_name,
  metric.filter_pattern,
  metric.metric_transformation_name,
  metric.metric_transformation_value
from
  aws_cloudwatch_log_group groups
  join aws_cloudwatch_log_metric_filter metric on groups.name = metric.log_group_name;
select
  groups.name as log_group_name,
  metric.name as metric_filter_name,
  metric.filter_pattern,
  metric.metric_transformation_name,
  metric.metric_transformation_value
from
  aws_cloudwatch_log_group as groups
  join aws_cloudwatch_log_metric_filter as metric on groups.name = metric.log_group_name;

List data protection audit policies and their destinations for each log group

Explore the configuration of your data protection audit policies to understand how and where your log data is being sent. This can be useful for ensuring that your logs are being directed to the correct destinations, making it easier to manage and monitor your data.

select
  i as data_identifier,
  s -> 'Operation' -> 'Audit' -> 'FindingsDestination' -> 'S3' -> 'Bucket' as destination_bucket,
  s -> 'Operation' -> 'Audit' -> 'FindingsDestination' -> 'CloudWatchLogs' -> 'LogGroup' as destination_log_group,
  s -> 'Operation' -> 'Audit' -> 'FindingsDestination' -> 'Firehose' -> 'DeliveryStream' as destination_delivery_stream
from
  aws_cloudwatch_log_group,
  jsonb_array_elements(data_protection_policy -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'DataIdentifier') as i
where
  s ->> 'Sid' = 'audit-policy'
  and name = 'log-group-name';
Error: The corresponding SQLite query is unavailable.

List log groups with no data protection policy

Determine the areas in which data protection policies are not applied to AWS Cloudwatch log groups. This can be useful for identifying potential security vulnerabilities and ensuring all log data is adequately protected.

select
  arn,
  name,
  creation_time
from
  aws_cloudwatch_log_group
where
  data_protection_policy is null;
select
  arn,
  name,
  creation_time
from
  aws_cloudwatch_log_group
where
  data_protection_policy is null;

Query examples

Control examples

Schema for aws_cloudwatch_log_group

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Amazon Resource Name (ARN) of the log group.
creation_timetimestamp with time zoneThe creation time of the log group.
data_protectionjsonbLog group data protection policy information.
data_protection_policyjsonbThe data protection policy document for a log group.
data_protection_statustextDisplays whether this log group has a protection policy, or whether it had one in the past.
inherited_propertiesjsonbDisplays all the properties that this log group has inherited from account-level settings.
kms_key_idtextThe Amazon Resource Name (ARN) of the CMK to use when encrypting log data.
log_group_arntextThe Amazon Resource Name (ARN) of the log group. This version of the ARN doesn't include a trailing :* after the log group name.
log_group_classtextThis specifies the log group class for this log group.
metric_filter_countbigintThe number of metric filters.
nametext=The name of the log group.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontext=The AWS Region in which the resource is located.
retention_in_daysbigintThe number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
stored_bytesbigintThe number of bytes stored.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_cloudwatch_log_group