CloudWatch Rules
These rules find CloudWatch log groups and streams that accumulate cost without being actively used or bounded by a retention policy.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-CLOUDWATCH-1 | Discovery | CloudWatch Log Group Missing Retention |
| CLDBRN-AWS-CLOUDWATCH-2 | Discovery | CloudWatch Unused Log Streams |
CLDBRN-AWS-CLOUDWATCH-1
CloudWatch Log Group Missing Retention
Scan type: Discovery
What it checks
Flags CloudWatch log groups that have no retention policy set. Without a retention period, log data is stored indefinitely and you are billed for all accumulated storage.
Log groups in the DELIVERY delivery class are excluded because they are managed by AWS and cannot have retention configured by users.
Why it matters
CloudWatch Logs storage costs $0.03 per GB per month. Log groups without retention can grow without bound, especially for high-volume services like VPC Flow Logs, API Gateway access logs, or Lambda functions. A log group running for a year without retention can accumulate hundreds of gigabytes before anyone notices.
What triggers a finding
retentionInDays is undefined AND the log group class is not DELIVERY.
How to remediate
Set a retention period on the log group. Choose a value that meets your compliance requirements — common values are 7, 14, 30, 90, or 365 days. You can set retention via the AWS Console, CLI, or your IaC tool:
aws logs put-retention-policy \
--log-group-name /your/log-group \
--retention-in-days 30
CLDBRN-AWS-CLOUDWATCH-2
CloudWatch Unused Log Streams
Scan type: Discovery
What it checks
Flags CloudWatch log streams within log groups that have never received any log events. These streams occupy storage and add clutter without providing any value.
Log streams within log groups in the DELIVERY delivery class are excluded.
Why it matters
Empty log streams contribute to storage costs (even if small individually) and make it harder to find relevant logs. Services that create log streams speculatively — before a function or container runs — can leave behind dozens or hundreds of empty streams per log group.
What triggers a finding
All three stream timestamps are undefined: firstEventTimestamp, lastEventTimestamp, and lastIngestionTime. A stream with any timestamp set has received at least one event and is not flagged.
How to remediate
Delete empty log streams. You can do this in bulk using the AWS CLI:
aws logs delete-log-stream \
--log-group-name /your/log-group \
--log-stream-name empty-stream-name
For large-scale cleanup, use the CloudBurn CLI output to get the full list of affected streams, then script the deletion.
See Also
- CLI discover command — scan live CloudWatch resources
- SDK Reference — run discovery programmatically