prowler-cloud/prowler

Environment-Specific Log Group Retention Policy Validation

Open

#6.240 geöffnet am 18. Dez. 2024

Auf GitHub ansehen
 (1 Kommentar) (0 Reaktionen) (0 zugewiesene Personen)Python (1.322 Forks)batch import
feature-requesthelp wanted

Repository-Metriken

Stars
 (8.957 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 9T 17h) (314 gemergte PRs in 30 T)

Beschreibung

New feature motivation

When scanning multiple accounts, we often have environment-specific log group retention policies:

Sandbox: 7 days Staging: 30 days Production: 365 days Currently, these policies may be flagged as non-compliant unless explicitly configured for each environment. For example, a Sandbox log group with a retention policy of exactly 7 days should pass the compliance check, while any configuration below 7 days should be flagged as non-compliant. Similarly, Staging and Production environments should align with their respective policies. Introduce functionality to allow environment-specific log group retention policies to be validated dynamically based on predefined rules.

Expected Behavior:

Ability to define retention policies per environment (e.g., Sandbox, Staging, Production). Ensure that compliance checks only flag log groups as non-compliant when their configuration deviates from the defined environment-specific rules. Support for handling multiple accounts and environments seamlessly.

Solution Proposed

Add a configuration file or parameter to specify retention rules for each environment. Update compliance logic to check against these rules during scans. Provide detailed output for any non-compliance based on environment-specific thresholds

Describe alternatives you've considered

This feature would be useful for organizations managing multiple cloud accounts with distinct compliance requirements for different environments. It ensures accurate reporting without false positives and better adherence to organizational policies.

Additional context

No response

Contributor Guide