Hide sensitive data in CloudWatch logs


Hello. We have enabled logging from RDS instance to the CloudWatch. I have noticed that some sensitive info like certificates and private keys are appearing in CloudWatch logs. I would like to hide this type of logs so it won't be shown in CloudWatch. Could you please advise how can I do it? Unfortunately I can not use Data protection policy because it's not supported in our AWS Region

asked a year ago1225 views
3 Answers

Hi, thanks for reaching out!

As I understand it, RDS logs cannot be scrubbed prior to sending to CloudWatch. As well, once the logs are in CloudWatch, and without the benefit of the CloudWatch Logs data masking feature available in enabled regions, hiding specific sensitive data already delivered to CloudWatch Logs is not straightforward as individual log messages cannot be outright deleted from a log stream. The minimum level of granularity for Delete calls is for an entire log stream.

As a baseline level of protection, I would advise ensuring that log groups that may contain sensitive data be encrypted using the AWS Key Management Service. As well, IAM permissions can be adjusted such that only the IAM roles you specify can access log groups containing sensitive log data.

CloudWatch Logs Actions, resources, and condition keys

Identity-based policies for CloudWatch Logs

CloudWatch Logs Insights can be configured with saved queries that only return the log messages you wish to see while excluding any log messages containing sensitive data. However, the log messages with the sensitive data would still be available to be viewed by altering the query or viewing the log group directly by anyone with access to it.

answered a year ago

Hello, coming back to the issue. Yes, RDS logs cannot be scrubbed prior to sending to CloudWatch. As I mentioned, some of our logs in CloudWatch contain sensitive data like certificates and keys. I would like to redact only sensitive data but leave other info in the log visible. We can not use Data Protection function because it's not available in our AWS Region. We have already implemented some IAM permissions and other protections but it'd really great if we could mask the certificates info in logs

answered 10 months ago
profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions