Redact sensitive data from CloudTrail logs - Amazon Marketing Cloud Uploader from AWS

Redact sensitive data from CloudTrail logs

Sensitive data includes PII, passwords, credentials, among others. For more information about what is considered sensitive, refer to your organization’s security policy.

Make sure sensitive data fields are redacted in the payload:

  1. Customized redaction - This is done through cloning the request/response object and stripping the fields with sensitive information within your code.

  2. Automated redaction - CloudTrail automatically redacts the fields with the sensitive trait, hence this trait should be used for sensitive parameters.

  3. Keyword redaction - An additional useful control is the keyword redaction feature which automatically redacts fields that have specific keywords in their names which could indicate they are sensitive (for example, password). Note that you shouldn’t solely depend on this feature, but you must only use it as an additional layer besides the two options mentioned previously.

Review the request parameters and the response elements for the events that you are logging to CloudTrail with your AppSec security engineer, and make sure all sensitive fields are redacted.

Request parameters and the response elements for the events you are logging to CloudTrail don’t contain any sensitive data.