Short description
-----------------

By default, CloudWatch logs are stored for an indefinite amount of time. Also by default, log groups are created with **NeverExpire** in the retention setting. You can configure the [retention setting](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention) for the time period that you want the log data to be stored in the log group. When a new log group retention setting is set, data that's older than the new retention setting is deleted from the log group.

**Note:** When logs are removed due to a retention setting or manual deletion, they can't be recovered.

Resolution
----------

To prevent accidental deletion of CloudWatch logs or to export logs for long-term storage and backup, complete the following methods:

### Modify the IAM permissions for the CloudWatch log groups

To prevent accidental deletion of CloudWatch logs, modify your AWS Identity and Access Management (IAM) permissions. Set the [DeleteLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html), [DeleteLogStream](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html), and [PutRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutRetentionPolicy.html) parameters to **Deny** in your permissions policy to prevent log data deletion.

Complete the following steps:

1. Open the [IAM console](https://console.aws.amazon.com/iam/).
2. In the navigation pane, choose **Users or Roles**.
3. From the list, choose the name of the user or role that you want to modify the policy for.
4. Choose the **Permissions** tab, choose **Add permissions** , and then choose **Create inline policy**.
5. Add the following policy statement or similar:
    ```plaintext
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Deny",
          "Action": [
            "logs:DeleteLogGroup",
            "logs:DeleteLogStream",
            "logs:PutRetentionPolicy"
          ],
          "Resource": "*"
        }
      ]
    }
    ```
    

See [Using identity-based policies (IAM policies) for CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html) and [CloudWatch Logs permissions reference](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html) for more information.

### Export CloudWatch logs to an Amazon S3 bucket

For long-term storage, backup, and custom processing and analysis of log data, export CloudWatch logs to Amazon S3. You can also load this data onto other systems. For more information, see [Exporting log data to Amazon S3](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html).

Related information
-------------------

[CloudWatch Logs features](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html#cloudwatch-logs-features)

I want to restore or prevent deletion of logs or log groups in Amazon CloudWatch.

Restore or prevent deletion of logs or log groups in CloudWatch

How do I restore or prevent deletion of logs or log groups in CloudWatch?

Short description

Resolution

Modify the IAM permissions for the CloudWatch log groups

Export CloudWatch logs to an Amazon S3 bucket

Related information

Relevant content