DEV Community

Cover image for Automate AWS CloudWatch Log Retention with Bash: Save Costs & Stay Compliant
alok shankar
alok shankar

Posted on

Automate AWS CloudWatch Log Retention with Bash: Save Costs & Stay Compliant

#devops #aws #linux #cloud

๐Ÿ”น Introduction :

Managing CloudWatch log groups is a critical part of maintaining operational efficiency and cost control in AWS. However, it's easy to overlook retention settings โ€” especially when log groups are created automatically by various AWS services. Without a defined retention period, logs accumulate indefinitely, leading to increased storage costs and unnecessary clutter.

In this blog, Iโ€™ll walk through streamlined approach to automatically detect CloudWatch log groups without a retention policy, update them to a 30-day retention period, and generate an HTML report delivered straight to your inbox.

The solution is powered by a simple Bash script that leverages the AWS CLI and standard Linux utilities โ€” making it easy to integrate into any DevOps workflow.

Whether you're a cloud engineer trying to stay compliant or just looking to reduce AWS costs, this automated approach will save time, improve visibility, and ensure consistent log management across your environment.

๐Ÿ”น Challenges Faced in Manual Process:
Manually managing log retention policies in AWS is like trying to clean every file cabinet in a skyscraperโ€”painful, slow, and error-prone. Some of the common problems:

โŒ You can't visually identify which logs lack retention
โŒ You have to click through each log group in the AWS Console
โŒ Thereโ€™s no built-in notification when retention is missing
โŒ Risk of accumulating terabytes of unused logs

So I thought โ€” โ€œWhy not automate the boring stuff?โ€

๐Ÿ”น Benefits of Automating CloudWatch Retention Updates
Automating retention policies brings a whole bouquet of benefits:

๐ŸŒŸ Cost Control โ€“ Say goodbye to ever-growing log storage bills
๐Ÿ” Audit Friendly โ€“ Track what's changed, when, and how
๐Ÿ“ง Proactive Alerting โ€“ Get email summaries with detailed tables
๐Ÿงน Cleaner Environment โ€“ Consistent retention policies = better hygiene
โฑ๏ธ Time Saved โ€“ No more manual clicking or forgetfulness

๐Ÿ”น Prerequisites
Before I dive in, make sure you have the following:

  1. - An AWS account with access to CloudWatch
  2. - IAM permissions to read and update log groups
  3. - AWS CLI configured on your machine
  4. - Bash shell environment (Linux or macOS)
  5. - Tools like jq, sendmail, mailutils installed

๐Ÿ”น Step 1: Install AWS CLI
If you havenโ€™t installed the AWS CLI yet, follow the steps below:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Then configure your credentials:
aws configure

๐Ÿ”น Step 2: Install Dependencies
Youโ€™ll also need jq and sendmail for parsing and email delivery:

sudo apt install jq mailutils -y

๐Ÿ”น Step 3: Create IAM Policy as per below , attached to IAM role and assign that role to EC2 instance.

Youโ€™ll need the following IAM permissions to make it work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DescribeLogGroups",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PutRetentionPolicy",
      "Effect": "Allow",
      "Action": "logs:PutRetentionPolicy",
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchMetricsAccess",
      "Effect": "Allow",
      "Action": "cloudwatch:GetMetricStatistics",
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Permissions include:

  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutRetentionPolicy
  • cloudwatch:GetMetricStatistics

Image description

๐Ÿ”น Step 4: Clone the GitHub Repository
Instead of writing the script manually, you can simply clone the prebuilt GitHub repository that includes the script, required IAM policy, and a README.
git clone https://github.com/alokshanhbti/cloudwatch-retention-update.git
cd cloudwatch-retention-update

Inside the folder, youโ€™ll find:

  1. cloudwatch-retention-update.sh โ€“ The automation script
  2. iam-policy.json โ€“ IAM policy required for permissions
  3. README.md โ€“ Full documentation and usage instructions

๐Ÿ”น Step 5: Make the Script Executable
After saving the script, make it executable with:
chmod +x cloudwatch-retention-update.sh

๐Ÿ”น Step 6: Run the Script
Simply execute:
./cloudwatch-retention-update.sh

The script will log activity to a file, apply changes, and email the report to the address you specify.

๐Ÿ”น Step 7: Script Flow
Hereโ€™s how the script works behind the scenes:

๐Ÿ” Scan CloudWatch for log groups with no retention
๐Ÿง  Fetch metadata: log group name, retention, last event, service name, and storage
โœ๏ธ Update retention to 30 days using put-retention-policy
๐Ÿ“จ Generate HTML email with two colorful tables:
Before update
After update
๐Ÿ“ฌ Send email via sendmail with all details

๐Ÿ”น Step 8: Screen shots of email and logs

Email part Before update :

Image description

Email part After update :

Image description

Logs :

Image description

๐Ÿ”น Conclusion

Automating CloudWatch log retention is a simple yet highly effective way to maintain a clean, cost-efficient, and compliant cloud environment. With this Bash script, you can easily identify log groups without retention settings, apply a consistent 30-day policy, and receive a well-formatted email report โ€” all with minimal effort and zero manual intervention.

This solution not only improves visibility and governance but also frees up your time to focus on higher-value tasks.

Thank you for reading!
If this script helps improve your cloud hygiene, feel free to share it with your team or contribute to the project.

๐Ÿ“‚ Access the GitHub Repository Here:

GitHub logo alokshanhbti / cloudwatch-retention-update

cloudwatch-retention-update repo that audits AWS CloudWatch log groups with no retention period and updates them to 30-day retention and sends email

๐Ÿ“Š CloudWatch Log Retention Manager

cloudwatch-retention-update.sh is a Bash script that audits AWS CloudWatch log groups with no retention period set, updates them to a 30-day retention, and sends a HTML email report containing color-coded tables.

๐Ÿ”ง Features

โœ… Identifies log groups without retention
โœ… Fetches last log date, associated AWS service, and storage usage (in GB)
โœ… Applies a 30-day retention policy
โœ… Sends an HTML email via sendmail with:

  • ๐Ÿ“‹ Before Update Table
  • โœ… After Update Table

๐Ÿ“ Script Overview

  • ๐Ÿ“‚ Log Group Scan โ€” Uses aws logs describe-log-groups and jq to filter targets
  • โณ Retention Status โ€” Detects null retention policies
  • ๐Ÿ“… Last Log Timestamp โ€” Uses describe-log-streams
  • ๐Ÿ’พ Storage Usage (GB) โ€” Uses cloudwatch:GetMetricStatistics for StoredBytes
  • ๐Ÿ“ง HTML Email Report โ€” Sends two HTML tables (before & after) with colors

๐Ÿš€ Usage

Step 1: Make it executable

chmod +x cloudwatch-retention-update.sh
Enter fullscreen mode Exit fullscreen mode

Step

โ€ฆ
View on GitHub

Happy automating! ๐Ÿš€

Top comments (0)