Posted On: Jun 8, 2023

Amazon CloudWatch Logs is excited to announce support for account level data protection policy configuration, you can now create a data protection policy that will be applied to all existing and future log groups within your AWS account. 

Customers want to ensure sensitive data is detected and masked consistently across all their logs. With account level policies, customers will be able to protect all their logs in a simplified and consistent way. Account level policies work in combination with log group level policies, allowing you to select patterns of sensitive log data to detect and protect broadly across all log groups in an AWS account. Data protection is a feature that leverages pattern matching and machine learning capabilities to detect and protect sensitive log data-in-transit. With log data protection in Amazon CloudWatch Logs, you can now detect and protect sensitive log data in-transit such as Credit Card Numbers or Government ID’s logged by your systems, and applications. 

Start creating data protection account level policies to discover and mask sensitive data in Amazon CloudWatch Logs using the AWS Software Development Kit (SDK), AWS Command Line Interface (CLI), or CloudWatch in the AWS Management Console. Data protection account level policy configuration is available in all AWS Commercial Regions. To learn more about Amazon CloudWatch Logs data protection, you can read the, developer guide, and API reference documentation. Data protection costs $0.12 per GB of data scanned. Check CloudWatch Pricing - Detecting and masking sensitive log data with data protection for an example of pricing.