Data Source: awsCloudwatchLogDataProtectionPolicyDocument
Generates a CloudWatch Log Group Data Protection Policy document in JSON format for use with the awsCloudwatchLogDataProtectionPolicy
resource.
-> For more information about data protection policies, see the Help protect sensitive log data with masking.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsCloudwatchLogDataProtectionPolicyDocumentExample =
new aws.dataAwsCloudwatchLogDataProtectionPolicyDocument.DataAwsCloudwatchLogDataProtectionPolicyDocument(
this,
"example",
{
name: "Example",
statement: [
{
dataIdentifiers: [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
],
operation: {
audit: {
findingsDestination: {
cloudwatchLogs: {
logGroup: "${aws_cloudwatch_log_group.audit.name}",
},
firehose: {
deliveryStream:
"${aws_kinesis_firehose_delivery_stream.audit.name}",
},
s3: {
bucket: "${aws_s3_bucket.audit.bucket}",
},
},
},
},
sid: "Audit",
},
{
dataIdentifiers: [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
],
operation: {
deidentify: {
maskConfig: {},
},
},
sid: "Deidentify",
},
],
}
);
const awsCloudwatchLogDataProtectionPolicyExample =
new aws.cloudwatchLogDataProtectionPolicy.CloudwatchLogDataProtectionPolicy(
this,
"example_1",
{
logGroupName: "${aws_cloudwatch_log_group.example.name}",
policyDocument:
dataAwsCloudwatchLogDataProtectionPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchLogDataProtectionPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are required:
name
- (Required) The name of the data protection policy document.statement
- (Required) Configures the data protection policy.
-> There must be exactly two statements: the first with an audit
operation, and the second with a deidentify
operation.
The following arguments are optional:
description
- (Optional)version
- (Optional)
statement Configuration Block
dataIdentifiers
- (Required) Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.operation
- (Required) Configures the data protection operation applied by this statement.sid
- (Optional) Name of this statement.
operation Configuration Block
audit
- (Optional) Configures the detection of sensitive data.deidentify
- (Optional) Configures the masking of sensitive data.
-> Every policy statement must specify exactly one operation.
audit Configuration Block
findingsDestination
- (Required) Configures destinations to send audit findings to.
findings_destination Configuration Block
cloudwatchLogs
- (Optional) Configures CloudWatch Logs as a findings destination.firehose
- (Optional) Configures Kinesis Firehose as a findings destination.s3
- (Optional) Configures S3 as a findings destination.
cloudwatch_logs Configuration Block
logGroup
- (Required) Name of the CloudWatch Log Group to send findings to.
firehose Configuration Block
deliveryStream
- (Required) Name of the Kinesis Firehose Delivery Stream to send findings to.
s3 Configuration Block
bucket
- (Required) Name of the S3 Bucket to send findings to.
deidentify Configuration Block
maskConfig
- (Required) An empty object that configures masking.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
json
- Standard JSON policy document rendered based on the arguments above.