LOW
Source
Trivy
ID
AVD-AZU-0049

Retention policy for flow logs should be enabled and set to greater than 90 days

Flow logs are the source of truth for all network activity in your cloud environment.

To enable analysis in security event that was detected late, you need to have the logs available.

Setting an retention policy will help ensure as much information is available for review.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Ensure flow log retention is turned on with an expiry of >90 days

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
resource "azurerm_network_watcher_flow_log" "good_watcher" {
  network_watcher_name = "good_watcher"
  resource_group_name  = "resource-group"

  network_security_group_id = azurerm_network_security_group.test.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 90
  }
}