Protecting log groups from deletion

Enabling deletion protection

You can enable deletion protection when creating a new log group or on existing log groups. During log group creation, select "Enabled deletion protection" or by passing the parameter --deletion-protection-enabled. By default, deletion protection is not enabled.

To enable or disable deletion protection on an existing log group (console)

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
In the navigation pane, choose Log groups.
Select the log group you want to protect.
Choose Actions, Edit deletion protection.
In the dialog box, review and then submit changes.

If using the Amazon CLI, to enable deletion protection on an existing log group:


aws logs put-log-group-deletion-protection \
--log-group-identifier "/my-application/logs" \
--deletion-protection-enabled

To remove deletion protection on an existing log group:


aws logs put-log-group-deletion-protection \
--log-group-identifier "/my-application/logs" \
--no-deletion-protection-enabled

Error handling

If you attempt to delete a log group with deletion protection enabled, you receive a ValidationException with the message: "Cannot delete log group with deletion protection enabled. Disable deletion protection first."

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Search log data using filter patterns

Encrypt log data using Amazon KMS