Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

Audit Retention Floor (No Infinite, 7y for Audit-Tagged)

retention.ms must be a finite value; topics labeled audit=true must retain at least 7 years (~220752000000 ms).

“We do centralized audit logging — and that data has to live for years, not until the broker decides to compact it.”

Rationale

SOX, FINRA 4511, HIPAA, and most banking regulators require multi-year retention of auditable events like trades, access logs, and claims. Setting retention.ms = -1 (infinite) in a regulated cluster looks safe but is unauditable: deletion becomes impossible to prove and storage cost explodes in ways finance teams can't model. The right pattern is a finite, documented retention, with a 7-year floor for explicitly audit-tagged topics.

Pattern

retention.ms != -1 AND (label.audit != true OR retention.ms >= 7y)

Examples

retention.ms: 604800000, audit not set (7 days, non-audit)
retention.ms: 220752000000, audit: true (7 years, audit topic)
retention.ms: -1 (infinite)
retention.ms: 86400000, audit: true (1 day for an audit topic)

Parameters

NameDefaultDescription
audit_floor_ms 220752000000 Minimum retention.ms when metadata.labels.audit == 'true' (default 7 years).
audit_label "audit" Metadata label key marking a topic as audit-grade.

Governs

This policy relates to the following Kafka configuration keys:

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# spec.configs values are strings — wrap with int(string(...)) for numeric compare.
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: audit-retention-floor
spec:
  targetKind: Topic
  description: No infinite retention; audit-tagged topics must retain >= 7 years
  rules:
    - condition: '"retention.ms" in spec.configs && int(string(spec.configs["retention.ms"])) > 0'
      errorMessage: "retention.ms must be a finite positive value — retention.ms=-1 (infinite) is not allowed in a regulated cluster"
    - condition: '!(has(metadata.labels) && "audit" in metadata.labels && metadata.labels["audit"] == "true") || ("retention.ms" in spec.configs && int(string(spec.configs["retention.ms"])) >= 220752000000)'
      errorMessage: "Audit-tagged topics (metadata.labels.audit=true) must set retention.ms >= 220752000000 (7 years) for SOX/FINRA/HIPAA"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →