AWS::Logs::LogGroup - AWS CloudFormation

AWS::Logs::LogGroup

The AWS::Logs::LogGroup resource specifies a log group. A log group defines common properties for log streams, such as their retention and access control rules. Each log stream must belong to one log group.

You can create up to 1,000,000 log groups per Region per account. You must use the following guidelines when naming a log group:

  • Log group names must be unique within a Region for an AWS account.

  • Log group names can be between 1 and 512 characters long.

  • Log group names consist of the following characters: a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen), '/' (forward slash), and '.' (period).

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Logs::LogGroup", "Properties" : { "KmsKeyId" : String, "LogGroupName" : String, "RetentionInDays" : Integer, "Tags" : [ Tag, ... ] } }

YAML

Type: AWS::Logs::LogGroup Properties: KmsKeyId: String LogGroupName: String RetentionInDays: Integer Tags: - Tag

Properties

KmsKeyId

The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data.

To associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.

If you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an InvalidParameterException error.

Log group data is always encrypted in CloudWatch Logs. If you omit this key, the encryption does not use AWS KMS. For more information, see Encrypt log data in CloudWatch Logs using AWS Key Management Service

Required: No

Type: String

Maximum: 256

Update requires: No interruption

LogGroupName

The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.

Required: No

Type: String

Minimum: 1

Maximum: 512

Pattern: [\.\-_/#A-Za-z0-9]+

Update requires: Replacement

RetentionInDays

The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, and 3653.

To set a log group so that its log events do not expire, use DeleteRetentionPolicy.

Required: No

Type: Integer

Update requires: No interruption

Tags

An array of key-value pairs to apply to the log group.

For more information, see Tag.

Required: No

Type: List of Tag

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The ARN of the log group, such as arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*

Examples

Create a Log Group

The following example creates a log group that retains events for 7 days.

JSON

"myLogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "RetentionInDays": 7 } }

YAML

myLogGroup: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 7