Hide sensitive data in CloudWatch logs

Hi, thanks for reaching out!

As I understand it, RDS logs cannot be scrubbed prior to sending to CloudWatch. As well, once the logs are in CloudWatch, and without the benefit of the CloudWatch Logs data masking feature available in enabled regions, hiding specific sensitive data already delivered to CloudWatch Logs is not straightforward as individual log messages cannot be outright deleted from a log stream. The minimum level of granularity for Delete calls is for an entire log stream.

As a baseline level of protection, I would advise ensuring that log groups that may contain sensitive data be encrypted using the AWS Key Management Service. As well, IAM permissions can be adjusted such that only the IAM roles you specify can access log groups containing sensitive log data.

CloudWatch Logs Actions, resources, and condition keys

Identity-based policies for CloudWatch Logs

CloudWatch Logs Insights can be configured with saved queries that only return the log messages you wish to see while excluding any log messages containing sensitive data. However, the log messages with the sensitive data would still be available to be viewed by altering the query or viewing the log group directly by anyone with access to it.

Hello, coming back to the issue. Yes, RDS logs cannot be scrubbed prior to sending to CloudWatch. As I mentioned, some of our logs in CloudWatch contain sensitive data like certificates and keys. I would like to redact only sensitive data but leave other info in the log visible. We can not use Data Protection function because it's not available in our AWS Region. We have already implemented some IAM permissions and other protections but it'd really great if we could mask the certificates info in logs

Another option is to apply data protection policy to a log group: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-start.html#mask-sensitive-log-data-start-console