Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I restore or prevent deletion of logs or log groups in CloudWatch?
I want to restore or prevent deletion of logs or log groups in Amazon CloudWatch.
Short description
By default, Amazon CloudWatch Logs stores logs indefinitely and never expire. However, if you modify the retention period settings, then CloudWatch Logs stores the data only until the retention period. After the retention period, CloudWatch Logs deletes the data from the log group. You can modify the retention settings for each log group, retain logs indefinitely through the default retention setting, or choose a retention period between 10 years and one day.
Note: You can't recover logs that you deleted or expired through the retention policy. AWS can't recover the logs either.
Resolution
To control who can access CloudWatch logs or export logs for long-term storage and backup, complete the following procedures.
Modify IAM permissions for the CloudWatch log groups
Complete the following steps:
- Open the AWS Identity and Access Management (IAM) console.
- In the navigation pane, choose Users or Roles.
- From the list, select the IAM user or role whose policy you want to modify.
- Choose the Permissions tab, and then choose Add permissions.
- Choose Create inline policy, and then enter a policy statement similar to the following to set the DeleteLogGroup, DeleteLogStream, and PutRetentionPolicy parameters to Deny:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:PutRetentionPolicy" ], "Resource": "*" } ] }
After you apply this IAM policy, IAM users can't delete log data or change retention settings across all log groups. For more information, see Using identity-based policies (IAM policies) for CloudWatch Logs and CloudWatch Logs permissions reference.
(Optional) Turn on deletion protection
You can turn on deletion protection to prevent accidental deletion of log groups. By default, deletion protection is off.
Export CloudWatch logs to an Amazon S3 bucket
Export CloudWatch log data to an Amazon Simple Storage Service (Amazon S3) bucket for long-term storage, backup, and custom processing and analysis of log data. Then, you can load this data into other systems.
- Idioma
- English
