feat(logs): support DataProtectionPolicy in LogGroup construct

[kchg]

Sensitive data protection for CloudWatch Logs was launched at re:Invent 2022. This feature will enable that property under DataProtectionPolicy as a JSON object in the LogGroup construct.

Use case: A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.

closes #23399

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Construct Runtime Dependencies:

• This PR adds new construct runtime dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[peterwoodworth]

Thanks for the PR @kchg!

As it is now, this PR doesn't introduce any functionality that isn't already easily achievable through escape hatches. So, instead of asking our users to fully understand how to build a data protection policy and supply that directly as an object, it would be great to abstract this such that the dataProtectionPolicy prop takes in a class with a name like DataProtectionPolicy that can contain one or more configurable DataPolicyStatements. See our Policy and PolicyStatement classes in our IAM module for reference on what this might look like 🙂 These classes contain methods to modify existing statements, and ways to add statements to an existing policy. I think these methods would be useful in this case as well. Open to thoughts/suggestions!

[kchg]

Thanks for the feedback @peterwoodworth! I'll make some changes here to abstract away the details of creating a data protection policy, so that users can just provide a list of data identifiers and any audit destinations.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

Pull request has been modified.

[kchg]

Hi @peterwoodworth, this PR should allow users to add a data protection policy to a log group without knowing the actual structure of the policy. Could you please review this? Thanks.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[kchg]

Hi @corymhall, thank you for the review, I've made changes or addressed each comment from your review, please let me know what you think.

Pull request has been modified.

[corymhall]

Looking good! Just a couple more suggestions.

[corymhall]

Yeah on second look I was thinking about extending construct because the constructor took a scope argument. I think we should modify this API a bit to be something like.

class DataProtectionPolicy {
  constructor(props: DataProtectionPolicyProps) {
    ...
  }
  public bind(scope: Construct): DataProtectionPolicyConfig {
    ...
  }
}

and then

new CfnLogGroup(this, 'Resource', {
  ...,
  dataProtectionPolicy: props.dataProtectionPolicy.bind(this),

[corymhall]

Suggested change

	* @default null
	* @default - no data protection policy

[kchg]

Updated.

Pull request has been modified.

[corymhall]

Looking good! Just a couple of minor things

[corymhall]

Since this is a public API, we should allow for non-breaking changes that we might need to
make in the future. We can either make this an internal API by adding
@internal and changing the name to _bind() or we can add a second optional
props argument that is empty for now. public bind(scope: Construct, props: DataProtectionPolicyBindProps = {})

If you don't think there is any use case for using this outside of the internal
library usage then I would recommend going with @internal.

[kchg]

Updated to _bind()

[corymhall]

This file should not have been git ignored. Can you check?

[kchg]

Looks like the .gitignore was updated since the commit adding these files, I've removed this file from the PR.

[corymhall]

This file should have been git ignored, can you check?

[kchg]

Removed this file.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: a4be031
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[renatoargh]

Hey, thanks for the great PR!

A question: this PR introduces the ability to associate a DataProtectionPolicy to a LogGroup when you create it via the new LogGroup({ ... }) constructor. However, I would like to associate a DataProtectionPolicy with an existing LogGroup to use the data protection feature with an existing lambda. I know I can retrieve an existing LogGroup like this:

const existingLogGroup = LogGroup.fromLogGroupName(
    scope,
    'ExistingLambdaLogGroup',
    '/aws/lambda/my-existing-function-name'
);

But then I am unable to do something like existingLogGroup.addDataProtectionPolicy(new DataProtectionPolicy({ ... })).

Are there any plans to support it or Is there any way to make it work that I cannot see?

I tried creating a logGroup from scratch and associating when creating the lambda but it doesn't seem possible to make lambda use a different log group than the default /aws/lambda/${functionName}.

Again, thanks a lot!

[kevincifuentes-eb]

@renatoargh Did you find any workaround for that use case? Thanks!

[kevincifuentes-eb]

Any idea if this is possible somehow? I'm also using CDK for our infrastructure and don't see a way to set a custom log group or simply modify the existing one on the lambda to add that DataProtectionPolicy.
Thanks for your help!

[kevincifuentes-eb]

If just someone gets to the same PR here, I finally was able to implement it using AWSCustomResource executing a AWSSDKCall when the CloudFormation is created (onCreate)