AWS::Logs::LogGroup - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


The AWS::Logs::LogGroup resource specifies a log group. A log group defines common properties for log streams, such as their retention and access control rules. Each log stream must belong to one log group.

You can create up to 1,000,000 log groups per Region per account. You must use the following guidelines when naming a log group:

  • Log group names must be unique within a Region for an Amazon account.

  • Log group names can be between 1 and 512 characters long.

  • Log group names consist of the following characters: a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen), '/' (forward slash), and '.' (period).


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::Logs::LogGroup", "Properties" : { "DataProtectionPolicy" : Json, "KmsKeyId" : String, "LogGroupClass" : String, "LogGroupName" : String, "RetentionInDays" : Integer, "Tags" : [ Tag, ... ] } }


Type: AWS::Logs::LogGroup Properties: DataProtectionPolicy: Json KmsKeyId: String LogGroupClass: String LogGroupName: String RetentionInDays: Integer Tags: - Tag



Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.

For more information, including a list of types of data that can be audited and masked, see Protect sensitive log data with masking.

Required: No

Type: Json

Update requires: No interruption


The Amazon Resource Name (ARN) of the Amazon KMS key to use when encrypting log data.

To associate an Amazon KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.

If you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an InvalidParameterException error.

Log group data is always encrypted in CloudWatch Logs. If you omit this key, the encryption does not use Amazon KMS. For more information, see Encrypt log data in CloudWatch Logs using Amazon Key Management Service

Required: No

Type: String

Pattern: ^arn:[a-z0-9-]+:kms:[a-z0-9-]+:\d{12}:(key|alias)/.+\Z

Maximum: 256

Update requires: No interruption


Specifies the log group class for this log group. There are two classes:

  • The Standard log class supports all CloudWatch Logs features.

  • The Infrequent Access log class supports a subset of CloudWatch Logs features and incurs lower costs.

For details about the features supported by each class, see Log classes

Required: No

Type: String


Update requires: Updates are not supported.


The name of the log group. If you don't specify a name, Amazon CloudFormation generates a unique ID for the log group.

Required: No

Type: String

Pattern: ^[.\-_/#A-Za-z0-9]{1,512}\Z

Minimum: 1

Maximum: 512

Update requires: Replacement


The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.

To set a log group so that its log events do not expire, use DeleteRetentionPolicy.

Required: No

Type: Integer

Allowed values: 1 | 3 | 5 | 7 | 14 | 30 | 60 | 90 | 120 | 150 | 180 | 365 | 400 | 545 | 731 | 1096 | 1827 | 2192 | 2557 | 2922 | 3288 | 3653

Update requires: No interruption


An array of key-value pairs to apply to the log group.

For more information, see Tag.

Required: No

Type: Array of Tag

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The ARN of the log group, such as arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*


Create a log group

The following example creates a log group that retains events for 7 days.


"myLogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "RetentionInDays": 7 } }


myLogGroup: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 7

Create a log group with a data protection policy

The following example creates a log group that uses a data protection policy to mask email addresses, and send audit findings to CloudWatch Logs, Firehose, and Amazon S3.


"TestLogGroupDescription": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": "my-log-group", "DataProtectionPolicy": { "Name": "data-protection-policy", "Description": "test description", "Version": "2021-06-01", "Statement": [{ "Sid": "audit-policy test", "DataIdentifier": [ "arn:aws:dataprotection::aws:data-identifier/EmailAddress", "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US" ], "Operation": { "Audit": { "FindingsDestination": { "CloudWatchLogs": { "LogGroup": "EXISTING_LOG_GROUP_IN_YOUR_ACCOUNT" }, "Firehose": { "DeliveryStream": "EXISTING_STREAM_IN_YOUR_ACCOUNT" }, "S3": { "Bucket": "EXISTING_BUCKET" } } } } }, { "Sid": "redact-policy", "DataIdentifier": [ "arn:aws:dataprotection::aws:data-identifier/EmailAddress", "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US" ], "Operation": { "Deidentify": { "MaskConfig": {} } } } ] } } }


TestLogGroupDescription: Type: AWS::Logs::LogGroup Properties: LogGroupName: my-log-group DataProtectionPolicy: Name: data-protection-policy Description: test description Version: '2021-06-01' Statement: - Sid: audit-policy test DataIdentifier: - arn:aws:dataprotection::aws:data-identifier/EmailAddress - arn:aws:dataprotection::aws:data-identifier/DriversLicense-US Operation: Audit: FindingsDestination: CloudWatchLogs: LogGroup: EXISTING_LOG_GROUP_IN_YOUR_ACCOUNT Firehose: DeliveryStream: EXISTING_STREAM_IN_YOUR_ACCOUNT S3: Bucket: EXISTING_BUCKET - Sid: redact-policy DataIdentifier: - arn:aws:dataprotection::aws:data-identifier/EmailAddress - arn:aws:dataprotection::aws:data-identifier/DriversLicense-US Operation: Deidentify: MaskConfig: {}