@composurecdk/logs

CloudWatch Logs builders for ComposureCDK.

This package provides a fluent builder for CloudWatch log groups with secure, AWS-recommended defaults. It wraps the CDK LogGroup construct — refer to the CDK documentation for the full set of configurable properties.

Log Group Builder

import { createLogGroupBuilder } from "@composurecdk/logs";

const logGroup = createLogGroupBuilder().logGroupName("/my-app/api").build(stack, "ApiLogs");

Every LogGroupProps property is available as a fluent setter on the builder.

Secure Defaults

createLogGroupBuilder applies the following defaults. Each can be overridden via the builder's fluent API.

| Property | Default | Rationale | | --------------- | ----------- | ------------------------------------------------------------------------------- | | retention | TWO_YEARS | Prevents unbounded log accumulation while preserving a meaningful audit window. | | removalPolicy | RETAIN | Logs are audit records that should survive infrastructure teardown. |

These defaults are guided by the AWS Well-Architected Security Pillar — SEC04-BP01.

The defaults are exported as LOG_GROUP_DEFAULTS for visibility and testing:

import { LOG_GROUP_DEFAULTS } from "@composurecdk/logs";

Overriding defaults

import { RemovalPolicy } from "aws-cdk-lib";
import { RetentionDays } from "aws-cdk-lib/aws-logs";

const logGroup = createLogGroupBuilder()
  .retention(RetentionDays.SIX_MONTHS)
  .removalPolicy(RemovalPolicy.DESTROY)
  .build(stack, "EphemeralLogs");

Encryption

CloudWatch Logs encrypts all log data at rest using AWS-managed keys. For additional control (key rotation, CloudTrail audit, access revocation), provide a customer-managed KMS key:

const logGroup = createLogGroupBuilder().encryptionKey(myKmsKey).build(stack, "EncryptedLogs");