Are your CloudWatch Costs going out of hand? Here is how you can manage them by setting a lower retention window.

Lower CloudWatch Costs

The following shell script uses jq, AWS CLI, to find all log groups that have greater than 7 days retention, and sets the retention for those log groups to 7 in batch mode.

With this, AWS automatically clears all the logs that are older than 7 days. You can adjust the retention number(in this example, 7) according to your specific use case depending on how long you need your logs.

--

--

If you are creating AWS ELB using Kubernetes Ingress file, you might be using an Ingress yaml like the following.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-policy: 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06'
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-1:*********
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/healthcheck-path: /index.htm
alb.ingress.kubernetes.io/target-type: ip

If you don’t specify alb.ingress.kubernetes.io/ssl-policy , then ALB will default to ELBSecurityPolicy-2016–08 . The ELBSecurityPolicy-2016–08 has support for TLS 1.0, 1,1 which are out-of-date protocols which them open to vulnerabilities.

It is recommended that you use ELB security policies like ELBSecurityPolicy-TLS-1–2-Ext-2018–06 which supports TLS 1.2 using the annotation : alb.ingress.kubernetes.io/ssl-policy: ‘ELBSecurityPolicy-TLS-1–2-Ext-2018–06’, as shown in the above code snippet.

--

--