- Newest
- Most votes
- Most comments
NicM,
Without knowing how your application works and how your Lambda function logs information, I would think the following might be worth looking into:
- Check CloudWatch Log Streams and Log Groups and how to programmatically add logs to CloudWatch Logs so you have full control of what gets logged.
- Try to tie some sort of identifier to the user and add the identifier to each and every log entry related to the user. It could very well be the username or other type of id. If this is not in existence you could probably use a DynamoDB table to store it for quick reference.
- In CloudWatch Logs you can set a retention period if you don't need the logs after some time so they get discarded automatically.
- Identifying each log entry with a link to the user will greatly simplify the identification and removal of the log entries when needed.
I hope this helps.
This issue doesnt sit with Lambda, it can be anything that logs to cloudwatch log groups of which lambda stores its logs here. I have seen other services output data to CW logs.
I guess the best option is that you have is to ensure your applications does not log personal information to logs and to omit this data when writing logs. If users need to be outputted into Logs then ensure masked information such as GUID's are captured in logs which in turn can be looked up if required. The application could encrypt/mask the data stored in the logs here also. I would focus more on the reason why there is PII information being captured in logs?
The other options are to set a short retention period for the logs so that the data is purged. You could have a specific KMS key for the real sensitive information and encrypt these cloudwatch logs with the KMS key that is limited to a small number of IAM users or services.
Data must be stored in logs for audit trail purposes and in order to assist with R&D debugging of certain behaviors related to a user's activity. This includes data such as IP Addresses and user identifiers. In case of storing 'masked' information, the masking must be done in such a way that there is no way to trace the masked identifiers to the real identifiers such as thru a separate service that stores the references.
Relevant content
- Accepted Answerasked 4 years ago
- asked 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi NicM.
What would be the requirements to make the log GDPR compliant? I'm not familiar with the details so if you could list what the expectation is it would be easier to formulate a possible solution.
@Jose Guay - please see update, thanks!