How do I restore or prevent deletion of logs or log groups in CloudWatch?

2 minute read

I want to restore or prevent deletion of logs or log groups in Amazon CloudWatch.

Short description

By default, CloudWatch logs are stored for an indefinite amount of time. Also by default, log groups are created with NeverExpire in the retention setting. You can configure the retention setting for the time period that you want the log data to be stored in the log group. When a new log group retention setting is set, data that's older than the new retention setting is deleted from the log group.

Note: When logs are removed due to a retention setting or manual deletion, they can't be recovered.


To prevent accidental deletion of CloudWatch logs or to export logs for long-term storage and backup, complete the following methods:

Modify the IAM permissions for the CloudWatch log groups

To prevent accidental deletion of CloudWatch logs, modify your AWS Identity and Access Management (IAM) permissions. Set the DeleteLogGroup, DeleteLogStream, and PutRetentionPolicy parameters to Deny in your permissions policy to prevent log data deletion.

Complete the following steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Users or Roles.
  3. From the list, choose the name of the user or role that you want to modify the policy for.
  4. Choose the Permissions tab, choose Add permissions , and then choose Create inline policy.
  5. Add the following policy statement or similar:
      "Version": "2012-10-17",
      "Statement": [
          "Sid": "VisualEditor0",
          "Effect": "Deny",
          "Action": [
          "Resource": "*"

See Using identity-based policies (IAM policies) for CloudWatch Logs and CloudWatch Logs permissions reference for more information.

Export CloudWatch logs to an Amazon S3 bucket

For long-term storage, backup, and custom processing and analysis of log data, export CloudWatch logs to Amazon S3. You can also load this data onto other systems. For more information, see Exporting log data to Amazon S3.

Related information

CloudWatch Logs features

AWS OFFICIALUpdated 2 months ago