Retention policy for flow logs should be enabled and set to greater than 90 days
Default Severity: low
Explanation
Flow logs are the source of truth for all network activity in your cloud environment. To enable analysis in security event that was detected late, you need to have the logs available.
Setting an retention policy will help ensure as much information is available for review.
Possible Impact
Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis
Suggested Resolution
Ensure flow log retention is turned on with an expiry of >90 days
Insecure Example
The following example will fail the azure-network-retention-policy-set check.
resource "azurerm_network_watcher_flow_log" "bad_watcher" {
network_watcher_name = "bad_watcher"
resource_group_name = "resource-group"
network_security_group_id = azurerm_network_security_group.test.id
storage_account_id = azurerm_storage_account.test.id
enabled = true
retention_policy {
enabled = true
days = 7
}
}
Secure Example
The following example will pass the azure-network-retention-policy-set check.
resource "azurerm_network_watcher_flow_log" "good_watcher" {
network_watcher_name = "good_watcher"
resource_group_name = "resource-group"
network_security_group_id = azurerm_network_security_group.test.id
storage_account_id = azurerm_storage_account.test.id
enabled = true
retention_policy {
enabled = true
days = 90
}
}