DataProtectionPolicy

class aws_cdk.aws_logs.DataProtectionPolicy(*, identifiers, delivery_stream_name_audit_destination=None, description=None, log_group_audit_destination=None, name=None, s3_bucket_audit_destination=None)

Bases: object

Creates a data protection policy for CloudWatch Logs log groups.

ExampleMetadata:

infused

Example:

import aws_cdk.aws_kinesisfirehose_alpha as kinesisfirehose
import aws_cdk.aws_kinesisfirehose_destinations_alpha as destinations


log_group_destination = logs.LogGroup(self, "LogGroupLambdaAudit",
    log_group_name="auditDestinationForCDK"
)

bucket = s3.Bucket(self, "audit-bucket")
s3_destination = destinations.S3Bucket(bucket)

delivery_stream = kinesisfirehose.DeliveryStream(self, "Delivery Stream",
    destination=s3_destination
)

data_protection_policy = logs.DataProtectionPolicy(
    name="data protection policy",
    description="policy description",
    identifiers=[logs.DataIdentifier.DRIVERSLICENSE_US,  # managed data identifier
        logs.DataIdentifier("EmailAddress"),  # forward compatibility for new managed data identifiers
        logs.CustomDataIdentifier("EmployeeId", "EmployeeId-\d{9}")
    ],  # custom data identifier
    log_group_audit_destination=log_group_destination,
    s3_bucket_audit_destination=bucket,
    delivery_stream_name_audit_destination=delivery_stream.delivery_stream_name
)

logs.LogGroup(self, "LogGroupLambda",
    log_group_name="cdkIntegLogGroup",
    data_protection_policy=data_protection_policy
)
Parameters:
  • identifiers (Sequence[DataIdentifier]) – List of data protection identifiers. Managed data identifiers must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-managed-data-identifiers.html Custom data identifiers must have a valid regex defined: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html#custom-data-identifiers-constraints

  • delivery_stream_name_audit_destination (Optional[str]) – Amazon Kinesis Data Firehose delivery stream to send audit findings to. The delivery stream must already exist. Default: - no firehose delivery stream audit destination

  • description (Optional[str]) – Description of the data protection policy. Default: - ‘cdk generated data protection policy’

  • log_group_audit_destination (Optional[ILogGroup]) – CloudWatch Logs log group to send audit findings to. The log group must already exist prior to creating the data protection policy. Default: - no CloudWatch Logs audit destination

  • name (Optional[str]) – Name of the data protection policy. Default: - ‘data-protection-policy-cdk’

  • s3_bucket_audit_destination (Optional[IBucket]) – S3 bucket to send audit findings to. The bucket must already exist. Default: - no S3 bucket audit destination