diff --git a/install_files/ansible-base/roles/app/files/apache2-logrotate.conf b/install_files/ansible-base/roles/app/files/apache2-logrotate.conf
new file mode 100644
index 0000000000..b336f16a5b
--- /dev/null
+++ b/install_files/ansible-base/roles/app/files/apache2-logrotate.conf
@@ -0,0 +1,10 @@
+/var/log/apache2/*.log {
+  daily
+  missingok
+  rotate 30
+  create 640 root adm
+  sharedscripts
+  postrotate
+    /usr/bin/killall -HUP apache2
+  endscript
+}
diff --git a/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml b/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml
index dcbe711c82..db55e3a445 100644
--- a/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml
+++ b/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml
@@ -116,3 +116,12 @@
     - restart apache2
   tags:
     - apache
+
+- name: Retain no more than one month of apache logs
+  copy:
+    src: apache2-logrotate.conf
+    dest: /etc/logrotate.d/apache2
+    owner: root
+    mode: "0644"
+  tags:
+    - apache