Table: aws_cloudwatch_log_group - Query AWS CloudWatch Log Groups using SQL
The AWS CloudWatch Log Group is a resource that encapsulates your AWS CloudWatch Logs. These log groups are used to monitor, store, and access your log events. It allows you to specify a retention period to automatically expire old log events, thus aiding in managing your log data efficiently.
Table Usage Guide
The aws_cloudwatch_log_group
table in Steampipe provides you with information about Log Groups within AWS CloudWatch. This table allows you, as a DevOps engineer, to query Log Group-specific details, including the ARN, creation time, stored bytes, metric filter count, retention period, and associated tags. You can utilize this table to gather insights on Log Groups, such as their size, age, and associated metrics. The schema outlines the various attributes of the Log Group for you, including the ARN, creation time, stored bytes, and associated tags.
Examples
List all the log groups that are not encrypted
Identify instances where log groups in AWS CloudWatch are not encrypted. This is beneficial in assessing security measures and ensuring encryption is applied where necessary for data protection.
select name, kms_key_id, metric_filter_count, retention_in_daysfrom aws_cloudwatch_log_groupwhere kms_key_id is null;
select name, kms_key_id, metric_filter_count, retention_in_daysfrom aws_cloudwatch_log_groupwhere kms_key_id is null;
List of log groups whose retention period is less than 7 days
Determine the areas in your AWS Cloudwatch where log groups are set to retain data for less than a week. This query is useful for identifying potential data loss risks due to short retention periods.
select name, retention_in_daysfrom aws_cloudwatch_log_groupwhere retention_in_days < 7;
select name, retention_in_daysfrom aws_cloudwatch_log_groupwhere retention_in_days < 7;
Metric filters info attached log groups
Uncover the details of how your AWS CloudWatch log groups relate to metric filters, providing a comprehensive view of your logging and monitoring setup. This can be helpful in auditing your CloudWatch configurations, ensuring that important log data is being correctly processed and monitored.
select groups.name as log_group_name, metric.name as metric_filter_name, metric.filter_pattern, metric.metric_transformation_name, metric.metric_transformation_valuefrom aws_cloudwatch_log_group groups join aws_cloudwatch_log_metric_filter metric on groups.name = metric.log_group_name;
select groups.name as log_group_name, metric.name as metric_filter_name, metric.filter_pattern, metric.metric_transformation_name, metric.metric_transformation_valuefrom aws_cloudwatch_log_group as groups join aws_cloudwatch_log_metric_filter as metric on groups.name = metric.log_group_name;
List data protection audit policies and their destinations for each log group
Explore the configuration of your data protection audit policies to understand how and where your log data is being sent. This can be useful for ensuring that your logs are being directed to the correct destinations, making it easier to manage and monitor your data.
select i as data_identifier, s -> 'Operation' -> 'Audit' -> 'FindingsDestination' -> 'S3' -> 'Bucket' as destination_bucket, s -> 'Operation' -> 'Audit' -> 'FindingsDestination' -> 'CloudWatchLogs' -> 'LogGroup' as destination_log_group, s -> 'Operation' -> 'Audit' -> 'FindingsDestination' -> 'Firehose' -> 'DeliveryStream' as destination_delivery_streamfrom aws_cloudwatch_log_group, jsonb_array_elements(data_protection_policy -> 'Statement') as s, jsonb_array_elements_text(s -> 'DataIdentifier') as iwhere s ->> 'Sid' = 'audit-policy' and name = 'log-group-name';
Error: The corresponding SQLite query is unavailable.
List log groups with no data protection policy
Determine the areas in which data protection policies are not applied to AWS Cloudwatch log groups. This can be useful for identifying potential security vulnerabilities and ensuring all log data is adequately protected.
select arn, name, creation_timefrom aws_cloudwatch_log_groupwhere data_protection_policy is null;
select arn, name, creation_timefrom aws_cloudwatch_log_groupwhere data_protection_policy is null;
Schema for aws_cloudwatch_log_group
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) of the log group. | |
creation_time | timestamp with time zone | The creation time of the log group. | |
data_protection | jsonb | Log group data protection policy information. | |
data_protection_policy | jsonb | The data protection policy document for a log group. | |
data_protection_status | text | Displays whether this log group has a protection policy, or whether it had one in the past. | |
inherited_properties | jsonb | Displays all the properties that this log group has inherited from account-level settings. | |
kms_key_id | text | The Amazon Resource Name (ARN) of the CMK to use when encrypting log data. | |
log_group_arn | text | The Amazon Resource Name (ARN) of the log group. This version of the ARN doesn't include a trailing :* after the log group name. | |
log_group_class | text | This specifies the log group class for this log group. | |
metric_filter_count | bigint | The number of metric filters. | |
name | text | = | The name of the log group. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | = | The AWS Region in which the resource is located. |
retention_in_days | bigint | The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
stored_bytes | bigint | The number of bytes stored. | |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_cloudwatch_log_group