# Working with log groups and log streams
A log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.
A log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.
For organizations that need to consolidate log data from multiple accounts and regions, you can use CloudWatch Logs Centralization to automatically replicate log groups to a central account. For more information, see [Cross-account cross-Region log centralization](CloudWatchLogs_Centralization.md).
You can use the procedures in this section to work with log groups and log streams.
## Create a log group in CloudWatch Logs
When you install the CloudWatch Logs agent on an Amazon EC2 instance using the steps in previous sections of the Amazon CloudWatch Logs User Guide, the log group is created as part of that process. You can also create a log group directly in the CloudWatch console.
**To create a log group**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Log Management**.
1. Choose **Actions**, and then choose **Create log group**.
1. Enter a name for the log group, and then choose **Create log group**.
**Tip**
You can favorite log groups, as well as dashboards and alarms, from the ***Favorites and recents*** menu in the navigation pane. Under the ***Recently visited*** column, hover over the log group that you want to favorite, and choose the star symbol next to it.
## Send logs to a log group
CloudWatch Logs automatically receives log events from several AWS services. You can also send other log events to CloudWatch Logs using one of the following methods:
+ **CloudWatch agent**— The unified CloudWatch agent can send both metrics and logs to CloudWatch Logs. For information about installing and using the CloudWatch agent, see [ Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html) in the *Amazon CloudWatch User Guide*.
+ **AWS CLI**—The [put-log-events](https://docs.aws.amazon.com/cli/latest/reference/logs/put-log-events.html) uploads batches of log events to CloudWatch Logs.
+ **Programmatically**— The [PutLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html) API enables you to programmatically upload batches of log events to CloudWatch Logs.
## View log data sent to CloudWatch Logs
You can view and scroll through log data on a stream-by-stream basis as sent to CloudWatch Logs by the CloudWatch Logs agent. You can specify the time range for the log data to view.
**To view log data**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Log Management**.
1. For **Log Groups**, choose the log group to view the streams.
1. In the list of log groups, choose the name of the log group that you want to view.
1. In the list of log streams, choose the name of the log stream that you want to view.
1. To change how the log data is displayed, do one of the following:
+ To expand a single log event, choose the arrow next to that log event.
+ To expand all log events and view them as plain text, above the list of log events, choose **Text**.
+ To filter the log events, enter the desired search filter in the search field. For more information, see [Creating metrics from log events using filters](MonitoringLogData.md).
+ To view log data for a specified date and time range, next to the search filter, choose the arrow next to the date and time. To specify a date and time range, choose **Absolute**. To choose a predefined number of minutes, hours, days, or weeks, choose **Relative**. You can also switch between UTC and local time zone.
# Search log data using filter patterns
You can search your log data using the [Filter pattern syntax for metric filters, subscription filters, filter log events, and Live Tail](FilterAndPatternSyntax.md). You can search all the log streams within a log group, or by using the AWS CLI you can also search specific log streams. When each search runs, it returns up to the first page of data found and a token to retrieve the next page of data or to continue searching. If no results are returned, you can continue searching.
You can set the time range you want to query to limit the scope of your search. You could start with a larger range to see where the log lines you are interested in fall, and then shorten the time range to scope the view to logs in the time range that interest you.
You can also pivot directly from your logs-extracted metrics to the corresponding logs.
If you are signed in to an account set up as a monitoring account in CloudWatch cross-account observability, you can search and filter log events from the source accounts linked to this monitoring account. For more information, see [CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).
## Search log entries using the console
You can search for log entries that meet a specified criteria using the console.
**To search your logs using the console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Log Management**.
1. For **Log Groups**, choose the name of the log group containing the log stream to search.
1. For **Log Streams**, choose the name of the log stream to search.
1. Under **Log events**, enter the filter syntax to use.
**To search all log entries for a time range using the console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Log Management**.
1. For **Log Groups**, choose the name of the log group containing the log stream to search.
1. Choose **Search log group**.
1. For **Log events**, select the date and time range, and enter the filter syntax.
## Search log entries using the AWS CLI
You can search for log entries that meet a specified criteria using the AWS CLI.
**To search log entries using the AWS CLI**
At a command prompt, run the following [filter-log-events](https://docs.aws.amazon.com/cli/latest/reference/logs/filter-log-events.html) command. Use `--filter-pattern` to limit the results to the specified filter pattern and `--log-stream-names` to limit the results to the specified log streams.
```
aws logs filter-log-events --log-group-name my-group [--log-stream-names LIST_OF_STREAMS_TO_SEARCH] [--filter-pattern VALID_METRIC_FILTER_PATTERN]
```
**To search log entries over a given time range using the AWS CLI**
At a command prompt, run the following [filter-log-events](https://docs.aws.amazon.com/cli/latest/reference/logs/filter-log-events.html) command:
```
aws logs filter-log-events --log-group-name my-group [--log-stream-names LIST_OF_STREAMS_TO_SEARCH] [--start-time 1482197400000] [--end-time 1482217558365] [--filter-pattern VALID_METRIC_FILTER_PATTERN]
```
## Pivot from metrics to logs
You can get to specific log entries from other parts of the console.
**To get from dashboard widgets to logs**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Dashboards**.
1. Choose a dashboard.
1. On the widget, choose the **View logs** icon, and then choose **View logs in this time range**. If there is more than one metric filter, select one from the list. If there are more metric filters than we can display in the list, choose **More metric filters** and select or search for a metric filter.
**To get from metrics to logs**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. In the search field on the **All metrics** tab, type the name of the metric and press Enter.
1. Select one or more metrics from the results of your search.
1. Choose **Actions**, **View logs**. If there is more than one metric filter, select one from the list. If there are more metric filters than we can display in the list, choose **More metric filters** and select or search for a metric filter.
## Troubleshooting
**Search takes too long to complete**
If you have a lot of log data, search might take a long time to complete. To speed up a search, you can do the following:
+ If you are using the AWS CLI, you can limit the search to just the log streams you are interested in. For example, if your log group has 1000 log streams, but you just want to see three log streams that you know are relevant, you can use the AWS CLI to limit your search to only those three log streams within the log group.
+ Use a shorter, more granular time range, which reduces the amount of data to be searched and speeds up the query.
## Change log data retention in CloudWatch Logs
By default, log data is stored in CloudWatch Logs indefinitely. However, you can configure how long to store log data in a log group. Any data older than the current retention setting is deleted. You can change the log retention for each log group at any time.
**Note**
CloudWatch Logs doesn’t immediately delete log events when they reach their retention setting. It typically takes up to 72 hours after that before log events are deleted, but in rare situations might take longer.
This means that if you change a log group to have a longer retention setting when it contains log events that are past the expiration date, but haven’t been actually deleted, those log events will take up to 72 hours to be deleted after the new retention date is reached. To make sure that log data is deleted permanently, keep a log group at its lower retention setting until 72 hours has passed after the end of the previous retention period, or you have confirmed that the older log events are deleted.
When log events reach their retention setting they are marked for deletion. After they are marked for deletion, they do not add to your archival storage costs anymore, even if they are not actually deleted until later. These log events marked for deletion are also not included when you use an API to retrieve the `storedBytes` value to see how many bytes a log group is storing.
**To change the logs retention setting**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Logs**, **Log groups**.
1. Find the log group to update.
1. In the **Retention** column for that log group, choose the current retention setting, such as **Never Expire**.
1. In **Retention setting**, for **Expire events after**, choose a log retention value, and then choose **Save**.
## Protecting log groups from deletion
You can optionally enable deletion protection to prevent accidental deletion of important log groups. For detailed information about deletion protection, see [Protecting log groups from deletion](protecting-log-groups-from-deletion.md).
# Protecting log groups from deletion
## Enabling deletion protection
You can enable deletion protection when creating a new log group or on existing log groups. During log group creation, select "Enabled deletion protection" or by passing the parameter `--deletion-protection-enabled`. By default, deletion protection is not enabled.
**To enable or disable deletion protection on an existing log group (console)**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Log Management**.
1. Select the log group you want to protect.
1. Choose **Actions**, **Edit deletion protection**.
1. In the dialog box, review and then submit changes.
If using the AWS CLI, to enable deletion protection on an existing log group:
```
aws logs put-log-group-deletion-protection \
--log-group-identifier "/my-application/logs" \
--deletion-protection-enabled
```
To remove deletion protection on an existing log group:
```
aws logs put-log-group-deletion-protection \
--log-group-identifier "/my-application/logs" \
--no-deletion-protection-enabled
```
### Error handling
If you attempt to delete a log group with deletion protection enabled, you receive a `ValidationException` with the message: "Cannot delete log group with deletion protection enabled. Disable deletion protection first."
## Tag log groups in Amazon CloudWatch Logs
You can assign your own metadata to the log groups you create in Amazon CloudWatch Logs in the form of *tags*. A tag is a key-value pair that you define for a log group. Using tags is a simple yet powerful way to manage AWS resources and organize data, including billing data.
**Note**
You can use tags to control access to CloudWatch Logs resources, including log groups and destinations. Access to log streams is controlled at the log group level, because of the hierarchical relation between log groups and log streams. For more information about using tags to control access, see [Controlling access to Amazon Web Services resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html).
**Topics**
+ [
### Tag basics
](#tagging-basics)
+ [
### Tracking costs using tagging
](#tagging-billing)
+ [
### Tag restrictions
](#tagging-restrictions)
+ [
### Tagging log groups using the AWS CLI
](#log-group-tagging-cli)
+ [
### Tagging log groups using the CloudWatch Logs API
](#log-group-tagging-api)
### Tag basics
You use AWS CloudFormation the AWS CLI, or CloudWatch Logs API to complete the following tasks:
+ Add tags to a log group when you create it.
+ Add tags to an existing log group.
+ List the tags for a log group.
+ Remove tags from a log group.
You can use tags to categorize your log groups. For example, you can categorize them by purpose, owner, or environment. Because you define the key and value for each tag, you can create a custom set of categories to meet your specific needs. For example, you might define a set of tags that helps you track log groups by owner and associated application. Here are several examples of tags:
+ Project: Project name
+ Owner: Name
+ Purpose: Load testing
+ Application: Application name
+ Environment: Production
### Tracking costs using tagging
You can use tags to categorize and track your AWS costs. When you apply tags to your AWS resources, including log groups, your AWS cost allocation report includes usage and costs aggregated by tags. You can apply tags that represent business categories (such as cost centers, application names, or owners) to organize your costs across multiple services. For more information, see [Use Cost Allocation Tags for Custom Billing Reports](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.
### Tag restrictions
The following restrictions apply to tags.
**Basic restrictions**
+ The maximum number of tags per log group is 50.
+ Tag keys and values are case sensitive.
+ You can't change or edit tags for a deleted log group.
**Tag key restrictions**
+ Each tag key must be unique. If you add a tag with a key that's already in use, your new tag overwrites the existing key-value pair.
+ You can't start a tag key with `aws:` because this prefix is reserved for use by AWS. AWS creates tags that begin with this prefix on your behalf, but you can't edit or delete them.
+ Tag keys must be between 1 and 128 Unicode characters in length.
+ Tag keys must consist of the following characters: Unicode letters, digits, white space, and the following special characters: `_ . / = + - @`.
**Tag value restrictions**
+ Tag values must be between 0 and 255 Unicode characters in length.
+ Tag values can be blank. Otherwise, they must consist of the following characters: Unicode letters, digits, white space, and any of the following special characters: `_ . / = + - @`.
### Tagging log groups using the AWS CLI
You can add, list, and remove tags using the AWS CLI. For examples, see the following documentation:
[create-log-group](https://docs.aws.amazon.com/cli/latest/reference/logs/create-log-group.html)
Creates a log group. You can optionally add tags when you create the log group.
[tag-resource](https://docs.aws.amazon.com/cli/latest/reference/logs/tag-resource.html)
Assigns one or more tags (key-value pairs) to the specified CloudWatch Logs resource.
[list-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/logs/list-tags-for-resource.html)
Displays the tags the are associated with a CloudWatch Logs resource.
[untag-resource](https://docs.aws.amazon.com/cli/latest/reference/logs/untag-log-group.html)
Removes one or more tags from the specified CloudWatch Logs resource.
### Tagging log groups using the CloudWatch Logs API
You can add, list, and remove tags using the CloudWatch Logs API. For examples, see the following documentation:
[CreateLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogGroup.html)
Creates a log group. You can optionally add tags when you create the log group.
[TagResource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_TagResource.html)
Assigns one or more tags (key-value pairs) to the specified CloudWatch Logs resource.
[ListTagsForResource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_ListTagsForResource.html)
Displays the tags the are associated with a CloudWatch Logs resource.
[UntagResource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_UntagLogGroup.html)
Removes one or more tags from the specified CloudWatch Logs resource.
# Encrypt log data in CloudWatch Logs using AWS Key Management Service
Log group data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption with 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt log data at rest. As an alternative, you can use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS key. Encryption using AWS KMS is enabled at the log group level, by associating a KMS key with a log group, either when you create the log group or after it exists.
**Important**
CloudWatch Logs now supports encryption context, using `kms:EncryptionContext:aws:logs:arn` as the key and the ARN of the log group as the value for that key. If you have log groups that you have already encrypted with a KMS key, and you would like to restrict the key to be used with a single account and log group, you should assign a new KMS key that includes a condition in the IAM policy. For more information, see [AWS KMS keys and encryption context](#encrypt-log-data-kms-policy).
**Important**
CloudWatch Logs now supports `kms:ViaService` which allows logs to make AWS KMS calls on your behalf. You should add this to your roles which call CloudWatch Logs in either your Key Policy or in IAM. For more information, see [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service).
After you associate a KMS key with a log group, all newly ingested data for the log group is encrypted using this key. This data is stored in encrypted format throughout its retention period. CloudWatch Logs decrypts this data whenever it is requested. CloudWatch Logs must have permissions for the KMS key whenever encrypted data is requested.
If you later disassociate a KMS key from a log group, CloudWatch Logs encrypts newly ingested data using the CloudWatch Logs default encryption method. All previously ingested data that was encrypted with the KMS key remains encrypted with the KMS key. CloudWatch Logs can still return that data after the KMS key is disassociated, because CloudWatch Logs can still continue to reference the key. However, if the key is later disabled, then CloudWatch Logs is unable to read the logs that were encrypted with that key.
**Important**
CloudWatch Logs supports only symmetric KMS keys. Do not use an asymmetric key to encrypt the data in your log groups. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html).
## Limits
+ To perform the following steps, you must have the following permissions: `kms:CreateKey`, `kms:GetKeyPolicy`, and `kms:PutKeyPolicy`.
+ After you associate or disassociate a key from a log group, it can take up to five minutes for the operation to take effect.
+ If you revoke CloudWatch Logs access to an associated key or delete an associated KMS key, your encrypted data in CloudWatch Logs can no longer be retrieved.
+ You can't associate a KMS key with an existing log group using the CloudWatch console.
## Step 1: Create an AWS KMS key
To create an KMS key, use the following [create-key](https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html) command:
```
aws kms create-key
```
The output contains the key ID and Amazon Resource Name (ARN) of the key. The following is example output:
```
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Description": "",
"KeyManager": "CUSTOMER",
"Enabled": true,
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1478910250.94,
"Arn": "arn:aws:kms:us-west-2:123456789012:key/6f815f63-e628-448c-8251-e40cb0d29f59",
"AWSAccountId": "123456789012",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
```
## Step 2: Set permissions on the KMS key
By default, all AWS KMS keys are private. Only the resource owner can use it to encrypt and decrypt data. However, the resource owner can grant permissions to access the KMS key to other users and resources. With this step, you give the CloudWatch Logs service principal and the caller role permission to use the key. This service principal must be in the same AWS Region where the KMS key is stored.
As a best practice, we recommend that you restrict the use of the KMS key to only those AWS accounts or log groups you specify.
First, save the default policy for your KMS key as `policy.json` using the following [get-key-policy](https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-policy.html) command:
```
aws kms get-key-policy --key-id key-id --policy-name default --output text > ./policy.json
```
Open the `policy.json` file in a text editor and add the section in bold from one of the following statements. Separate the existing statement from the new statement with a comma. These statements use `Condition` sections to enhance the security of the AWS KMS key. For more information, see [AWS KMS keys and encryption context](#encrypt-log-data-kms-policy).
The `Condition` section in this example restricts the key to a single log group ARN.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:111122223333:log-group:log-group-name"
}
}
}
]
}
```
------
The `Condition` section in this example limits the use of the AWS KMS key to the specified account, but it can be used for any log group.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:*"
}
}
}
]
}
```
------
Next, add permissions to the role which will be calling the CloudWatch Logs. You can do this by adding an additional statement to the AWS KMS Key Policy or through IAM on the role itself. CloudWatch Logs uses `kms:ViaService` to make calls to AWS KMS on the customer’s behalf. For more information, see [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service).
To add permissions in the AWS KMS Key Policy, add the following additional statement to your key policy. If you use this method, as best practice, scope the policy to only the roles that will be interacting with AWS KMS encrypted log groups.
```
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account_id:role/role_name"
},
"Action": [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"logs.region.amazonaws.com"
]
}
}
}
```
Alternatively if you would like to manage role permissions in IAM, you can add equivalent permissions through the following policy. This can be added to an existing role policy or attached to a role as an additional separate policy. If you use this method, as best practice, scope the policy to only the AWS KMS keys which will be used for log encryption. For more information, see [Edit IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Condition": {
"StringEquals": {
"kms:ViaService": [
"logs.us-east-1.amazonaws.com"
]
}
},
"Resource": "arn:aws:kms:us-east-1:444455556666:key/key_id"
}
]
}
```
------
Finally, add the updated policy using the following [put-key-policy](https://docs.aws.amazon.com/cli/latest/reference/kms/put-key-policy.html) command:
```
aws kms put-key-policy --key-id key-id --policy-name default --policy file://policy.json
```
## Step 3: Associate a KMS key with a log group
You can associate a KMS key with a log group when you create it or after it exists.
To find whether a log group already has a KMS key associated, use the following [describe-log-groups](https://docs.aws.amazon.com/cli/latest/reference/logs/describe-log-groups.html) command:
```
aws logs describe-log-groups --log-group-name-prefix "log-group-name-prefix"
```
If the output includes a `kmsKeyId` field, the log group is associated with the key displayed for the value of that field.
**To associate the KMS key with a log group when you create it**
Use the [create-log-group](https://docs.aws.amazon.com/cli/latest/reference/logs/create-log-group.html) command as follows:
```
aws logs create-log-group --log-group-name my-log-group --kms-key-id "key-arn"
```
**To associate the KMS key with an existing log group**
Use the [associate-kms-key](https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html) command as follows:
```
aws logs associate-kms-key --log-group-name my-log-group --kms-key-id "key-arn"
```
## Step 4: Disassociate key from a log group
To disassociate the KMS key associated with a log group, use the following [disassociate-kms-key](https://docs.aws.amazon.com/cli/latest/reference/logs/disassociate-kms-key.html) command:
```
aws logs disassociate-kms-key --log-group-name my-log-group
```
## AWS KMS keys and encryption context
To enhance the security of your AWS Key Management Service keys and your encrypted log groups, CloudWatch Logs now puts log group ARNs as part of the *encryption context* used to encrypt your log data. Encryption context is a set of key-value pairs that are used as additional authenticated data. The encryption context enables you to use IAM policy conditions to limit access to your AWS KMS key by AWS account and log group. For more information, see [Encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) and [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
We recommend that you use different KMS keys for each of your encrypted log groups.
If you have a log group that you encrypted previously and now want to change the log group to use a new KMS key that works only for that log group, follow these steps.
**To convert an encrypted log group to use a KMS key with a policy limiting it to that log group**
1. Enter the following command to find the ARN of the log group's current key:
```
aws logs describe-log-groups
```
The output includes the following line. Make a note of the ARN. You need to use it in step 7.
```
...
"kmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/01234567-89ab-cdef-0123-456789abcdef"
...
```
1. Enter the following command to create a new KMS key:
```
aws kms create-key
```
1. Enter the following command to save the new key's policy to a `policy.json` file:
```
aws kms get-key-policy --key-id new-key-id --policy-name default --output text > ./policy.json
```
1. Use a text editor to open `policy.json` and add a `Condition` expression to the policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:111122223333:log-group:LOG-GROUP-NAME"
}
}
}
]
}
```
------
1. Enter the following command to add the updated policy to the new KMS key:
```
aws kms put-key-policy --key-id new-key-ARN --policy-name default --policy file://policy.json
```
1. Enter the following command to associate the policy with your log group:
```
aws logs associate-kms-key --log-group-name my-log-group --kms-key-id new-key-ARN
```
CloudWatch Logs now encrypts all new data using the new key.
1. Next, revoke all permissions except `Decrypt` from the old key. First, enter the following command to retrieve the old policy:
```
aws kms get-key-policy --key-id old-key-ARN --policy-name default --output text > ./policy.json
```
1. Use a text editor to open `policy.json` and remove all values from the `Action` list, except for `kms:Decrypt`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.region.amazonaws.com"
},
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}
]
}
```
------
1. Enter the following command to add the updated policy to the old key:
```
aws kms put-key-policy --key-id old-key-ARN --policy-name default --policy file://policy.json
```
# Help protect sensitive log data with masking
You can help safeguard sensitive data that's ingested by CloudWatch Logs by using log group *data protection policies*. These policies let you audit and mask sensitive data that appears in log events ingested by the log groups in your account.
When you create a data protection policy, then by default, sensitive data that matches the data identifiers you've selected is masked at all egress points, including CloudWatch Logs Insights, metric filters, and subscription filters. Only users who have the `logs:Unmask` IAM permission can view unmasked data.
You can create a data protection policy for all log groups in your account, and you can also create a data protection policies for individual log groups. When you create a policy for your entire account, it applies to both existing log groups and log groups that are created in the future.
If you create a data protection policy for your entire account and you also create a policy for a single log group, both policies apply to that log group. All managed data identifiers that are specified in either policy are audited and masked in that log group.
**Note**
Masking sensitive data is supported for log groups in both the Standard and Infrequent Access log classes. For more information about log classes, see [Log classes](CloudWatch_Logs_Log_Classes.md).
Each log group can have only one log group-level data protection policy, but that policy can specify many managed data identifiers to audit and mask. The limit for a data protection policy is 30,720 characters.
**Important**
Sensitive data is detected and masked when it is ingested into the log group. When you set a data protection policy, log events ingested to the log group before that time are not masked.
CloudWatch Logs supports many *managed data identifiers*, which offer preconfigured data types you can select to protect financial data, personal health information (PHI), and personally identifiable information (PII). CloudWatch Logs data protection allows you to leverage pattern matching and machine learning models to detect sensitive data. For some types of managed data identifiers, the detection depends on also finding certain keywords in proximity with the sensitive data. You can also use custom data identifiers to create data identifiers tailored to your specific use case.
A metric is emitted to CloudWatch when sensitive data is detected that matches the data identifiers you select. This is the **LogEventsWithFindings** metric and it is emitted in the **AWS/Logs** namespace. You can use this metric to create CloudWatch alarms, and you can visualize it in graphs and dashboards. Metrics emitted by data protection are vended metrics and are free of charge. For more information about metrics that CloudWatch Logs sends to CloudWatch, see [Monitoring with CloudWatch metrics](CloudWatch-Logs-Monitoring-CloudWatch-Metrics.md).
Each managed data identifier is designed to detect a specific type of sensitive data, such as credit card numbers, AWS secret access keys, or passport numbers for a particular country or region. When you create a data protection policy, you can configure it to use these identifiers to analyze logs ingested by the log group, and take actions when they are detected.
CloudWatch Logs data protection can detect the following categories of sensitive data by using managed data identifiers:
+ Credentials, such as private keys or AWS secret access keys
+ Financial information, such as credit card numbers
+ Personally Identifiable Information (PII) such as driver’s licenses or social security numbers
+ Protected Health Information (PHI) such as health insurance or medical identification numbers
+ Device identifiers, such as IP addresses or MAC addresses
For details about the types of data that you can protect, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
**Contents**
+ [
# Understanding data protection policies
](cloudwatch-logs-data-protection-policies.md)
+ [
## What are data protection policies?
](cloudwatch-logs-data-protection-policies.md#what-are-data-protection-policies)
+ [
## How is the data protection policy structured?
](cloudwatch-logs-data-protection-policies.md#overview-of-data-protection-policies)
+ [
### JSON properties for the data protection policy
](cloudwatch-logs-data-protection-policies.md#data-protection-policy-json-properties)
+ [
### JSON properties for a policy statement
](cloudwatch-logs-data-protection-policies.md#policy-statement-json-properties)
+ [
### JSON properties for a policy statement operation
](cloudwatch-logs-data-protection-policies.md#statement-operation-json-properties)
+ [
# IAM permissions required to create or work with a data protection policy
](data-protection-policy-permissions.md)
+ [
## Permissions required for account-level data protection policies
](data-protection-policy-permissions.md#data-protection-policy-permissions-accountlevel)
+ [
## Permissions required for data protection policies for a single log group
](data-protection-policy-permissions.md#data-protection-policy-permissions-loggroup)
+ [
## Sample data protection policy
](data-protection-policy-permissions.md#data-protection-policy-sample)
+ [
# Create an account-wide data protection policy
](mask-sensitive-log-data-accountlevel.md)
+ [
## Console
](mask-sensitive-log-data-accountlevel.md#mask-sensitive-log-data-accountlevel-console)
+ [
## AWS CLI
](mask-sensitive-log-data-accountlevel.md#mask-sensitive-log-data-accountlevel-cli)
+ [
### Data protection policy syntax for AWS CLI or API operations
](mask-sensitive-log-data-accountlevel.md#mask-sensitive-log-data-policysyntax-account)
+ [
# Create a data protection policy for a single log group
](mask-sensitive-log-data-start.md)
+ [
## Console
](mask-sensitive-log-data-start.md#mask-sensitive-log-data-start-console)
+ [
## AWS CLI
](mask-sensitive-log-data-start.md#mask-sensitive-log-data-start-cli)
+ [
### Data protection policy syntax for AWS CLI or API operations
](mask-sensitive-log-data-start.md#mask-sensitive-log-data-policysyntax)
+ [
# View unmasked data
](mask-sensitive-log-data-viewunmasked.md)
+ [
# Audit findings reports
](mask-sensitive-log-data-audit-findings.md)
+ [
## Required key policy to send audit findings to an bucket protected by AWS KMS
](mask-sensitive-log-data-audit-findings.md#mask-sensitive-log-data-audit-findings-kms)
+ [
# Types of data that you can protect
](protect-sensitive-log-data-types.md)
+ [
# CloudWatch Logs managed data identifiers for sensitive data types
](CWL-managed-data-identifiers.md)
+ [
# Credentials
](protect-sensitive-log-data-types-credentials.md)
+ [
## Data identifier ARNs for credential data types
](protect-sensitive-log-data-types-credentials.md#cwl-data-protection-credentials-arns)
+ [
# Device identifiers
](protect-sensitive-log-data-types-device.md)
+ [
## Data identifier ARNs for device data types
](protect-sensitive-log-data-types-device.md#cwl-data-protection-devices-arns)
+ [
# Financial information
](protect-sensitive-log-data-types-financial.md)
+ [
## Data identifier ARNs for financial data types
](protect-sensitive-log-data-types-financial.md#cwl-data-protection-financial-arns)
+ [
# Protected health information (PHI)
](protect-sensitive-log-data-types-health.md)
+ [
## Data identifier ARNs for protected health information data types (PHI)
](protect-sensitive-log-data-types-health.md#cwl-data-protection-phi-arns)
+ [
# Personally identifiable information (PII)
](protect-sensitive-log-data-types-pii.md)
+ [
## Keywords for driver’s license identification numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-dl-keywords)
+ [
## Keywords for national identification numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-natlid-keywords)
+ [
## Keywords for passport numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-passport-keywords)
+ [
## Keywords for taxpayer identification and reference numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-financial-tin-keywords)
+ [
## Data identifier ARNs for personally identifiable information (PII)
](protect-sensitive-log-data-types-pii.md#CWL-data-protection-pii-arns)
+ [
# Custom data identifiers
](CWL-custom-data-identifiers.md)
+ [
## What are custom data identifiers?
](CWL-custom-data-identifiers.md#what-are-custom-data-identifiers)
+ [
## Custom data identifier constraints
](CWL-custom-data-identifiers.md#custom-data-identifiers-constraints)
+ [
## Using custom data identifiers in the console
](CWL-custom-data-identifiers.md#using-custom-data-identifiers-console)
+ [
## Using custom data identifiers in your data protection policy
](CWL-custom-data-identifiers.md#using-custom-data-identifiers)
# Understanding data protection policies
**Topics**
+ [
## What are data protection policies?
](#what-are-data-protection-policies)
+ [
## How is the data protection policy structured?
](#overview-of-data-protection-policies)
## What are data protection policies?
CloudWatch Logs uses **data protection policies** to select the sensitive data for which you want to scan, and the actions that you want to take to protect that data. To select the sensitive data of interest, you use [data identifiers](CWL-managed-data-identifiers.md). CloudWatch Logs data protection then detects the sensitive data by using machine learning and pattern matching. To act upon data identifiers that are found, you can define **audit** and **de-identify** operations. These operations let you log the sensitive data that is found (or not found), and to mask the sensitive data when the log events are viewed.
## How is the data protection policy structured?
As illustrated in the following figure, a data protection policy document includes the following elements:
+ Optional policy-wide information at the top of the document
+ One statement that defines the audit and de-identify actions
Only one data protection policy can be defined per CloudWatch Logs log group. The data protection policy can have one or more deny or de-identify statements, but only one audit statement.
### JSON properties for the data protection policy
A data protection policy requires the following basic policy information for identification:
+ **Name** – The policy name.
+ **Description** (Optional) – The policy description.
+ **Version** – The policy language version. The current version is 2021-06-01.
+ **Statement** – A list of statements that specifies data protection policy actions.
```
{
"Name": "CloudWatchLogs-PersonalInformation-Protection",
"Description": "Protect basic types of sensitive data",
"Version": "2021-06-01",
"Statement": [
...
]
}
```
### JSON properties for a policy statement
A policy statement sets the detection context for the data protection operation.
+ **Sid** (Optional) – The statement identifier.
+ **DataIdentifier** – The sensitive data for which CloudWatch Logs should scan. For example, name, address, or phone number.
+ **Operation** – The follow-on actions, either **Audit** or **De-identify**. CloudWatch Logs performs these actions when it finds sensitive data.
```
{
...
"Statement": [
{
"Sid": "audit-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/Address"
],
"Operation": {
"Audit": {
"FindingsDestination": {}
}
}
},
```
### JSON properties for a policy statement operation
A policy statement sets one of the following data protection operations.
+ **Audit** – Emits metrics and findings reports without interrupting logging. Strings that match increment the **LogEventsWithFindings** metric that CloudWatch Logs publishes to the **AWS/Logs** namespace in CloudWatch. You can use these metrics to create alarms.
For an example of a findings report, see [Audit findings reports](mask-sensitive-log-data-audit-findings.md).
For more information about metrics that CloudWatch Logs sends to CloudWatch, see [Monitoring with CloudWatch metrics](CloudWatch-Logs-Monitoring-CloudWatch-Metrics.md).
+ **De-identify** – Mask the sensitive data without interrupting logging.
# IAM permissions required to create or work with a data protection policy
To be able to work with data protection policies for log groups, you must have certain permissions as shown in the following tables. The permissions are different for account-wide data protection policies and for data protection policies that apply to a single log group.
## Permissions required for account-level data protection policies
**Note**
If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/data-protection-policy-permissions.html)
If any data protection audit logs are already being sent to a destination, then other policies that send logs to the same destination only need the `logs:PutDataProtectionPolicy` and `logs:CreateLogDelivery` permissions.
## Permissions required for data protection policies for a single log group
**Note**
If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.
| Operation | IAM permission needed | Resource |
| --- | --- | --- |
| Create a data protection policy with no audit destinations | `logs:PutDataProtectionPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
| Create a data protection policy with CloudWatch Logs as an audit destination | `logs:PutDataProtectionPolicy` `logs:CreateLogDelivery` `logs:PutResourcePolicy` `logs:DescribeResourcePolicies` `logs:DescribeLogGroups` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` `*` `*` `*` `*` |
| Create a data protection policy with Firehose as an audit destination | `logs:PutDataProtectionPolicy` `logs:CreateLogDelivery` `firehose:TagDeliveryStream` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` `*` `arn:aws:logs:::deliverystream/YOUR_DELIVERY_STREAM` |
| Create a data protection policy with Amazon S3 as an audit destination | `logs:PutDataProtectionPolicy` `logs:CreateLogDelivery` `s3:GetBucketPolicy` `s3:PutBucketPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` `*` `arn:aws:s3:::YOUR_BUCKET` `arn:aws:s3:::YOUR_BUCKET` |
| Unmask masked log events | `logs:Unmask` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
| View an existing data protection policy | `logs:GetDataProtectionPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
| Delete a data protection policy | `logs:DeleteDataProtectionPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
If any data protection audit logs are already being sent to a destination, then other policies that send logs to the same destination only need the `logs:PutDataProtectionPolicy` and `logs:CreateLogDelivery` permissions.
## Sample data protection policy
The following sample policy allows a user to create, view, and delete data protection policies that can sending audit findings to all three types of audit destinations. It does not permit the user to view unmasked data.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowLogDeliveryConfiguration",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:DescribeResourcePolicies"
],
"Resource": "*"
},
{
"Sid": "AllowDataProtectionAndBucketConfiguration",
"Effect": "Allow",
"Action": [
"logs:GetDataProtectionPolicy",
"logs:DeleteDataProtectionPolicy",
"logs:PutDataProtectionPolicy",
"s3:PutBucketPolicy",
"firehose:TagDeliveryStream",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:firehose:us-east-1:111122223333:deliverystream/delivery-stream-name",
"arn:aws:s3:::amzn-s3-demo-destination-bucket",
"arn:aws:logs:us-east-1:111122223333:log-group:log-group-name:*"
]
}
]
}
```
------
# Create an account-wide data protection policy
You can use the CloudWatch Logs console or AWS CLI commands to create a data protection policy to mask sensitive data for all log groups in your account. Doing so affects both current log groups and log groups that you create in the future.
**Important**
Sensitive data is detected and masked when it is ingested into the log group. When you set a data protection policy, log events ingested to the log group before that time are not masked.
**Topics**
+ [
## Console
](#mask-sensitive-log-data-accountlevel-console)
+ [
## AWS CLI
](#mask-sensitive-log-data-accountlevel-cli)
## Console
**To use the console to create an account-wide data protection policy**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Settings**. It is located near the bottom of the list.
1. Choose the **Logs** tab.
1. Choose **Configure**.
1. For **Managed data identifiers**, select the types of data that you want to audit and mask for all of your log groups. You can type in the selection box to find the identifiers that you want.
We recommend that you select only the data identifiers that are relevant for your log data and your business. Choosing many types of data can lead to false positives.
For details about which types of data that you can protect, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
1. (Optional) If you want to audit and mask other types of data by using custom data identifiers, choose **Add custom data identifier**. Then enter a name for the data type and the regular expression to use to search for that type of data in the log events. For more information, see [Custom data identifiers](CWL-custom-data-identifiers.md).
A single data protection policy can include up to 10 custom data identifiers. Each regular expression that defines a custom data identifier must be 200 characters or fewer.
1. (Optional) Choose one or more services to send the audit findings to. Even if you choose not to send audit findings to any of these services, the sensitive data types that you select will still be masked.
1. Choose **Activate data protection**.
## AWS CLI
**To use the AWS CLI to create a data protection policy**
1. Use a text editor to create a policy file named `DataProtectionPolicy.json`. For information about the policy syntax, see the following section.
1. Enter the following command:
```
aws logs put-account-policy \
--policy-name TEST_POLICY --policy-type "DATA_PROTECTION_POLICY" \
--policy-document file://policy.json \
--scope "ALL" \
--region us-west-2
```
### Data protection policy syntax for AWS CLI or API operations
When you create a JSON data protection policy to use in an AWS CLI command or API operation, the policy must include two JSON blocks:
+ The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
The `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings reports to. If you specify destinations such as log groups, Amazon Data Firehose streams, and S3 buckets, they must already exist. For an example of an audit findins report, see [Audit findings reports](mask-sensitive-log-data-audit-findings.md).
+ The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.
The `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the ` "MaskConfig": {}` object. The ` "MaskConfig": {}` object must be empty.
The following is an example of a data protection policy using only managed data identifiers. This policy masks email addresses and United States driver's licenses.
For information about policies that specify custom data identifiers, see [Using custom data identifiers in your data protection policy](CWL-custom-data-identifiers.md#using-custom-data-identifiers).
```
{
"Name": "data-protection-policy",
"Description": "test description",
"Version": "2021-06-01",
"Statement": [{
"Sid": "audit-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Audit": {
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "EXISTING_LOG_GROUP_IN_YOUR_ACCOUNT,"
},
"Firehose": {
"DeliveryStream": "EXISTING_STREAM_IN_YOUR_ACCOUNT"
},
"S3": {
"Bucket": "EXISTING_BUCKET"
}
}
}
}
},
{
"Sid": "redact-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Deidentify": {
"MaskConfig": {}
}
}
}
]
}
```
# Create a data protection policy for a single log group
You can use the CloudWatch Logs console or AWS CLI commands to create a data protection policy to mask sensitive data.
You can assign one data protection policy to each log group. Each data protection policy can audit for multiple types of information. Each data protection policy can include one audit statement.
**Topics**
+ [
## Console
](#mask-sensitive-log-data-start-console)
+ [
## AWS CLI
](#mask-sensitive-log-data-start-cli)
## Console
**To use the console to create a data protection policy**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Logs**, **Log groups**.
1. Choose the name of the log group.
1. Choose **Actions**, **Create data protection policy**.
1. For **Managed data identifiers**, select the types of data that you want to audit and mask in this log group. You can type in the selection box to find the identifiers that you want.
We recommend that you select only the data identifiers that are relevant for your log data and your business. Choosing many types of data can lead to false positives.
For details about which types of data that you can protect by using managed data identifiers, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
1. (Optional) If you want to audit and mask other types of data by using custom data identifiers, choose **Add custom data identifier**. Then enter a name for the data type and the regular expression to use to search for that type of data in the log events. For more information, see [Custom data identifiers](CWL-custom-data-identifiers.md).
A single data protection policy can include up to 10 custom data identifiers. Each regular expression that defines a custom data identifier must be 200 characters or fewer.
1. (Optional) Choose one or more services to send the audit findings to. Even if you choose not to send audit findings to any of these services, the sensitive data types that you select will still be masked.
1. Choose **Activate data protection**.
## AWS CLI
**To use the AWS CLI to create a data protection policy**
1. Use a text editor to create a policy file named `DataProtectionPolicy.json`. For information about the policy syntax, see the following section.
1. Enter the following command:
```
aws logs put-data-protection-policy --log-group-identifier "my-log-group" --policy-document file:///Path/DataProtectionPolicy.json --region us-west-2
```
### Data protection policy syntax for AWS CLI or API operations
When you create a JSON data protection policy to use in an AWS CLI command or API operation, the policy must include two JSON blocks:
+ The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
The `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings reports to. If you specify destinations such as log groups, Amazon Data Firehose streams, and S3 buckets, they must already exist. For an example of an audit findins report, see [Audit findings reports](mask-sensitive-log-data-audit-findings.md).
+ The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.
The `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the ` "MaskConfig": {}` object. The ` "MaskConfig": {}` object must be empty.
The following is an example of a data protection policy that masks email addresses and United States driver's licenses.
```
{
"Name": "data-protection-policy",
"Description": "test description",
"Version": "2021-06-01",
"Statement": [{
"Sid": "audit-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Audit": {
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "EXISTING_LOG_GROUP_IN_YOUR_ACCOUNT,"
},
"Firehose": {
"DeliveryStream": "EXISTING_STREAM_IN_YOUR_ACCOUNT"
},
"S3": {
"Bucket": "EXISTING_BUCKET"
}
}
}
}
},
{
"Sid": "redact-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Deidentify": {
"MaskConfig": {}
}
}
}
]
}
```
# View unmasked data
To view unmasked data, a user must have the `logs:Unmask` permission. Users with this permission can see the unmasked data in the following ways:
+ When viewing the events in a log stream, choose **Display**, **Unmask**.
+ Use a CloudWatch Logs Insights query that includes the **unmask(@message)** command. The following example query displays the 20 most recent log events in the stream, unmasked:
```
fields @timestamp, @message, unmask(@message)
| sort @timestamp desc
| limit 20
```
For more information about CloudWatch Logs Insights commands, see [CloudWatch Logs Insights language query syntax](CWL_QuerySyntax.md).
+ Use a [ GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [ FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter.
The **CloudWatchLogsFullAccess** policy includes the `logs:Unmask` permission. To grant `logs:Unmask` to a user who does not have **CloudWatchLogsFullAccess**, you can attach a custom IAM policy to that user. For more information, see [ Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console).
# Audit findings reports
If you set up CloudWatch Logs data protection audit policies to write audit reports to CloudWatch Logs, Amazon S3, or Firehose, these findings reports are similar to the following example. CloudWatch Logs writes one findings report for each log event that contains sensitive data.
```
{
"auditTimestamp": "2023-01-23T21:11:20Z",
"resourceArn": "arn:aws:logs:us-west-2:111122223333:log-group:/aws/lambda/MyLogGroup:*",
"dataIdentifiers": [
{
"name": "EmailAddress",
"count": 2,
"detections": [
{
"start": 13,
"end": 26
},
{
"start": 30,
"end": 43
}
]
}
]
}
```
The fields in the report are as follows:
+ The `resourceArn` field displays the log group where the sensitive data was found.
+ The `dataIdentifiers` object displays information about the findings for one type of senssitive data that you are auditing.
+ The `name` field identifies which type of sensitive data this section is reporting about.
+ The `count` field displays the number of times this type of sensitive data appears in the log event.
+ The `start` and `end` fields show where in the log event, by character count, each occurrence of the sensitive data appears.
The previous example shows a report of finding two email addresses in one log event. The first email address starts at the 13th character of the log event and ends at the 26th character. The second email address runs from the 30th character to the 43rd character. Even though this log event has two email addresses, the value of the `LogEventsWithFindings` metric is incremented only by one, because that metric counts the number of log events that contain sensitive data, not the number of occurrences of sensitive data.
## Required key policy to send audit findings to an bucket protected by AWS KMS
You can protect the data in an Amazon S3 bucket by enabling either Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) or Server-Side Encryption with KMS Keys (SSE-KMS). For more information, see [ Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the Amazon S3 User Guide.
If you send audit findings to a bucket that is protected with SSE-S3, no additional configuration is required. Amazon S3 handles the encryption key.
If you send audit findings to a bucket that is protected with SSE-KMS, you must update the key policy for your KMS key so that the log delivery account can write to your S3 bucket. For more information about the required key policy for use with SSE-KMS, see [Amazon S3 bucket server-side encryption](AWS-logs-infrastructure-S3.md#AWS-logs-SSE-KMS-S3) in the Amazon CloudWatch Logs User Guide.
# Types of data that you can protect
This section contains information about the types of data that you can protect in a CloudWatch Logs data protection policy. CloudWatch Logs managed data identifiers offer preconfigured data types for protecting financial data, personal health information (PHI), and personally identifiable information (PII). You can also use custom data identifiers to create data identifiers tailored to your specific use case.
**Contents**
+ [
# CloudWatch Logs managed data identifiers for sensitive data types
](CWL-managed-data-identifiers.md)
+ [
# Credentials
](protect-sensitive-log-data-types-credentials.md)
+ [
## Data identifier ARNs for credential data types
](protect-sensitive-log-data-types-credentials.md#cwl-data-protection-credentials-arns)
+ [
# Device identifiers
](protect-sensitive-log-data-types-device.md)
+ [
## Data identifier ARNs for device data types
](protect-sensitive-log-data-types-device.md#cwl-data-protection-devices-arns)
+ [
# Financial information
](protect-sensitive-log-data-types-financial.md)
+ [
## Data identifier ARNs for financial data types
](protect-sensitive-log-data-types-financial.md#cwl-data-protection-financial-arns)
+ [
# Protected health information (PHI)
](protect-sensitive-log-data-types-health.md)
+ [
## Data identifier ARNs for protected health information data types (PHI)
](protect-sensitive-log-data-types-health.md#cwl-data-protection-phi-arns)
+ [
# Personally identifiable information (PII)
](protect-sensitive-log-data-types-pii.md)
+ [
## Keywords for driver’s license identification numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-dl-keywords)
+ [
## Keywords for national identification numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-natlid-keywords)
+ [
## Keywords for passport numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-passport-keywords)
+ [
## Keywords for taxpayer identification and reference numbers
](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-financial-tin-keywords)
+ [
## Data identifier ARNs for personally identifiable information (PII)
](protect-sensitive-log-data-types-pii.md#CWL-data-protection-pii-arns)
+ [
# Custom data identifiers
](CWL-custom-data-identifiers.md)
+ [
## What are custom data identifiers?
](CWL-custom-data-identifiers.md#what-are-custom-data-identifiers)
+ [
## Custom data identifier constraints
](CWL-custom-data-identifiers.md#custom-data-identifiers-constraints)
+ [
## Using custom data identifiers in the console
](CWL-custom-data-identifiers.md#using-custom-data-identifiers-console)
+ [
## Using custom data identifiers in your data protection policy
](CWL-custom-data-identifiers.md#using-custom-data-identifiers)
# CloudWatch Logs managed data identifiers for sensitive data types
This section contains information about the types of data that you can protect using managed data identifiers, and which countries and regions are relevant for each of those types of data.
For some types of sensitive data, CloudWatch Logs data protection scans for keywords in the proximity of the data, and finds a match only if it finds that keyword. If a keyword has to be in proximity of a particular type of data, the keyword typically has to be within 30 characters (inclusively) of the data.
If a keyword contains a space, CloudWatch Logs data protection automatically matches keyword variations that are missing the space or that contain an underscore (`_`) or hyphen (`-`) instead of the space. In some cases, CloudWatch Logs also expands or abbreviates a keyword to address common variations of the keyword.
The following tables lists the types of credential, device, financial, medical, and protected health information (PHI) that CloudWatch Logs can detect using managed data identifiers. These are in addition to certain types of data that might also qualify as personally identifiable information (PII).
**Supported identifiers that are language and region independent**
| Identifier | Category |
| --- | --- |
| `Address` | Personal |
| `AwsSecretKey` | Credentials |
| `CreditCardExpiration` | Financial |
| `CreditCardNumber` | Financial |
| `CreditCardSecurityCode` | Financial |
| `EmailAddress` | Personal |
| `IpAddress` | Personal |
| `LatLong` | Personal |
| `Name` | Personal |
| `OpenSshPrivateKey` | Credentials |
| `PgpPrivateKey` | Credentials |
| `PkcsPrivateKey` | Credentials |
| `PuttyPrivateKey` | Credentials |
| `VehicleIdentificationNumber` | Personal |
Region-dependent data identifiers must include the identifier name, then a hyphen, and then the two-letter (ISO 3166-1 alpha-2) codes. For example, `DriversLicense-US`.
**Supported identifiers that must include a two-letter country or region code**
| Identifier | Category | Countries and languages |
| --- | --- | --- |
| BankAccountNumber | Financial | DE, ES, FR, GB, IT, US |
| CepCode | Personal | BR |
| Cnpj | Personal | BR |
| CpfCode | Personal | BR |
| DriversLicense | Personal | AT, AU, BE, BG, CA, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HR, HU, IE, IT, LT, LU, LV, MT, NL, PL, PT, RO, SE, SI, SK, US |
| DrugEnforcementAgencyNumber | Health | US |
| ElectoralRollNumber | Personal | GB |
| HealthInsuranceCardNumber | Health | EU |
| HealthInsuranceClaimNumber | Health | US |
| HealthInsuranceNumber | Health | FR |
| HealthcareProcedureCode | Health | US |
| IndividualTaxIdentificationNumber | Personal | US |
| InseeCode | Personal | FR |
| MedicareBeneficiaryNumber | Health | US |
| NationalDrugCode | Health | US |
| NationalIdentificationNumber | Personal | DE, ES, IT |
| NationalInsuranceNumber | Personal | GB |
| NationalProviderId | Health | US |
| NhsNumber | Health | GB |
| NieNumber | Personal | ES |
| NifNumber | Personal | ES |
| PassportNumber | Personal | CA, DE, ES, FR, GB, IT, US |
| PermanentResidenceNumber | Personal | CA |
| PersonalHealthNumber | Health | CA |
| PhoneNumber | Personal | BR, DE, ES, FR, GB, IT, US |
| PostalCode | Personal | CA |
| RgNumber | Personal | BR |
| SocialInsuranceNumber | Personal | CA |
| Ssn | Personal | ES, US |
| TaxId | Personal | DE, ES, FR, GB |
| ZipCode | Personal | US |
# Credentials
CloudWatch Logs data protection can find the following types of credentials.
| Type of data | Data identifier ID | Keyword required | Countries and regions |
| --- | --- | --- | --- |
| AWS secret access key | `AwsSecretKey` | `aws_secret_access_key`, `credentials`, `secret access key`, `secret key`, `set-awscredential` | All |
| OpenSSH private key | `OpenSSHPrivateKey` | None | All |
| PGP private key | `PgpPrivateKey` | None | All |
| Pkcs Private Key | `PkcsPrivateKey` | None | All |
| PuTTY private key | `PuttyPrivateKey` | None | All |
## Data identifier ARNs for credential data types
The following lists the Amazon Resource Names (ARNs) for the data identifiers that you can add to your data protection policies.
| Credential data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/AwsSecretKey |
| arn:aws:dataprotection::aws:data-identifier/OpenSshPrivateKey |
| arn:aws:dataprotection::aws:data-identifier/PgpPrivateKey |
| arn:aws:dataprotection::aws:data-identifier/PkcsPrivateKey |
| arn:aws:dataprotection::aws:data-identifier/PuttyPrivateKey |
# Device identifiers
CloudWatch Logs data protection can find the following types of device identifiers.
| Type of data | Data identifier ID | Keyword required | Countries and regions |
| --- | --- | --- | --- |
| IP address | `IpAddress` | None | All |
## Data identifier ARNs for device data types
The following lists the Amazon Resource Names (ARNs) for the data identifiers that you can add to your data protection policies.
| Device data identifier ARN |
| --- |
| arn:aws:dataprotection::aws:data-identifier/IpAddress |
# Financial information
CloudWatch Logs data protection can find the following types of financial information.
If you set a data protection policy, CloudWatch Logs scans for the data identifiers that you specify no matter what geolocation the log group is located in. The information in the **Countries and regions** column in this table designates whether two-letter country codes must be appended to the data identifier to detect the appropriate keywords for those countries and regions.
| Type of data | Data identifier ID | Keyword required | Countries and regions | Notes |
| --- | --- | --- | --- | --- |
| Bank account number | `BankAccountNumber` | Yes. Different keywords apply to different countries. For details, see the **Keywords for bank account numbers** table later in this section. | France, Germany, Italy, Spain, United Kingdom, United States | Includes International Bank Account Numbers (IBANs) that consist of up to 34 alphanumeric characters, including elements such as country codes. |
| Credit card expiration date | `CreditCardExpiration` | `exp d`, `exp m`, `exp y`, `expiration`, `expiry` | All | |
| Credit card number | `CreditCardNumber` | `account number`, `american express`, `amex`, `bank card`, `card`, `card number`, `card num`, `cc #`, `ccn`, `check card`, `credit`, `credit card#`, `dankort`, `debit`, `debit card`, `diners club`, `discover`, `electron`, `japanese card bureau`, `jcb`, `mastercard`, `mc`, `pan`, `payment account number`, `payment card number`, `pcn`, `union pay`, `visa` | All | Detection requires the data to be a 13–19 digit sequence that adheres to the Luhn check formula, and uses a standard card number prefix for any of the following types of credit cards: American Express, Dankort, Diner’s Club, Discover, Electron, Japanese Card Bureau (JCB), Mastercard, UnionPay, and Visa. |
| Credit card verification code | `CreditCardSecurityCode` | `card id`, `card identification code`, `card identification number`, `card security code`, `card validation code`, `card validation number`, `card verification data`, `card verification value`, `cvc`, `cvc2`, `cvv`, `cvv2`, `elo verification code` | All | |
**Keywords for bank account numbers**
Use the following keywords to bank account numbers. This includes International Bank Account Numbers (IBANs) that consist of up to 34 alphanumeric characters, including elements such as country codes.
| Country | Keywords |
| --- | --- |
| France | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `code bancaire`, `compte bancaire`, `customer account id`, `customer account number`, `customer bank account id`, `iban`, `numéro de compte` |
| Germany | `account code`, `account number`, `accountno#`, `accountnumber#`, `bankleitzahl`, `bban`, `customer account id`, `customer account number`, `customer bank account id`, `geheimzahl`, `iban`, `kartennummer`, `kontonummer`, `kreditkartennummer`, `sepa` |
| Italy | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `codice bancario`, `conto bancario`, `customer account id`, `customer account number`, `customer bank account id`, `iban`, `numero di conto` |
| Spain | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `código cuenta`, `código cuenta bancaria`, `cuenta cliente id`, `customer account ID`, `customer account number`, `customer bank account id`, `iban`, `número cuenta bancaria cliente`, `número cuenta cliente` |
| United Kingdom | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `customer account ID`, `customer account number`, `customer bank account id`, `iban`, `sepa` |
| United States | `bank account`, `bank acct`, `checking account`, `checking acct`, `deposit account`, `deposit acct`, `savings account`, `savings acct`, `chequing account`, `chequing acct` |
CloudWatch Logs doesn't report occurrences of the following sequences, which credit card issuers have reserved for public testing.
```
122000000000003, 2222405343248877, 2222990905257051, 2223007648726984, 2223577120017656,
30569309025904, 34343434343434, 3528000700000000, 3530111333300000, 3566002020360505, 36148900647913,
36700102000000, 371449635398431, 378282246310005, 378734493671000, 38520000023237, 4012888888881881,
4111111111111111, 4222222222222, 4444333322221111, 4462030000000000, 4484070000000000, 4911830000000,
4917300800000000, 4917610000000000, 4917610000000000003, 5019717010103742, 5105105105105100,
5111010030175156, 5185540810000019, 5200828282828210, 5204230080000017, 5204740009900014, 5420923878724339,
5454545454545454, 5455330760000018, 5506900490000436, 5506900490000444, 5506900510000234, 5506920809243667,
5506922400634930, 5506927427317625, 5553042241984105, 5555553753048194, 5555555555554444, 5610591081018250,
6011000990139424, 6011000400000000, 6011111111111117, 630490017740292441, 630495060000000000,
6331101999990016, 6759649826438453, 6799990100000000019, and 76009244561.
```
## Data identifier ARNs for financial data types
The following lists the Amazon Resource Names (ARNs) for the data identifiers that you can add to your data protection policies.
| Financial data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-US |
| arn:aws:dataprotection::aws:data-identifier/CreditCardExpiration |
| arn:aws:dataprotection::aws:data-identifier/CreditCardNumber |
| arn:aws:dataprotection::aws:data-identifier/CreditCardSecurityCode |
# Protected health information (PHI)
CloudWatch Logs data protection can find the following types of protected health information (PHI).
If you set a data protection policy, CloudWatch Logs scans for the data identifiers that you specify no matter what geolocation the log group is located in. The information in the **Countries and regions** column in this table designates whether two-letter country codes must be appended to the data identifier to detect the appropriate keywords for those countries and regions.
| Type of data | Data identifier ID | Keyword required | Countries and regions |
| --- | --- | --- | --- |
| Drug Enforcement Agency (DEA) registration number | `DrugEnforcementAgencyNumber` | `dea number`, `dea registration` | United States |
| Health Insurance Card Number (EHIC) | `HealthInsuranceCardNumber` | `assicurazione sanitaria numero`, `carta assicurazione numero`, `carte d’assurance maladie`, `carte européenne d'assurance maladie`, `ceam`, `ehic`, `ehic#`, `finlandehicnumber#`, `gesundheitskarte`, `hälsokort`, `health card`, `health card number`, `health insurance card`, `health insurance number`, `insurance card number`, `krankenversicherungskarte`, `krankenversicherungsnummer`, `medical account number`, `numero conto medico`, `numéro d’assurance maladie`, `numéro de carte d’assurance`, `numéro de compte medical`, `número de cuenta médica`, `número de seguro de salud`, `número de tarjeta de seguro`, `sairaanhoitokortin`, `sairausvakuutuskortti`, `sairausvakuutusnumero`, `sjukförsäkring nummer`, `sjukförsäkringskort`, `suomi ehic-numero`, `tarjeta de salud`, `terveyskortti`, `tessera sanitaria assicurazione numero`, `versicherungsnummer` | European Union |
| Health Insurance Claim Number (HICN) | `HealthInsuranceClaimNumber` | `health insurance claim number`, `hic no`, `hic no.`, `hic number`, `hic#`, `hicn`, `hicn#`, `hicno#` | United States |
| Health insurance or medical identification number | `HealthInsuranceNumber` | `carte d'assuré social`, `carte vitale`, `insurance card` | France |
| Healthcare Common Procedure Coding System (HCPCS) code | `HealthcareProcedureCode` | `current procedural terminology`, `hcpcs`, `healthcare common procedure coding system` | United States |
| Medicare Beneficiary Number (MBN) | `MedicareBeneficiaryNumber` | `mbi`, `medicare beneficiary` | United States |
| National Drug Code (NDC) | `NationalDrugCode` | `national drug code`, `ndc` | United States |
| National Provider Identifier (NPI) | `NationalProviderId` | `hipaa`, `n.p.i.`, `national provider`, `npi` | United States |
| National Health Service (NHS) number | `NhsNumber` | `national health service`, `NHS` | Great Britain |
| Personal Health Number | `PersonalHealthNumber` | `canada healthcare number`, `msp number`, `care number`, `phn`, `soins de santé` | Canada |
## Data identifier ARNs for protected health information data types (PHI)
The following lists the data identifier Amazon Resource Names (ARNs) that can be used in protected health information (PHI) data protection policies.
| PHI data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/DrugEnforcementAgencyNumber-US |
| arn:aws:dataprotection::aws:data-identifier/HealthcareProcedureCode-US |
| arn:aws:dataprotection::aws:data-identifier/HealthInsuranceCardNumber-EU |
| arn:aws:dataprotection::aws:data-identifier/HealthInsuranceClaimNumber-US |
| arn:aws:dataprotection::aws:data-identifier/HealthInsuranceNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/MedicareBeneficiaryNumber-US |
| arn:aws:dataprotection::aws:data-identifier/NationalDrugCode-US |
| arn:aws:dataprotection::aws:data-identifier/NationalInsuranceNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/NationalProviderId-US |
| arn:aws:dataprotection::aws:data-identifier/NhsNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/PersonalHealthNumber-CA |
# Personally identifiable information (PII)
CloudWatch Logs data protection can find the following types of personally identifiable information (PII).
If you set a data protection policy, CloudWatch Logs scans for the data identifiers that you specify no matter what geolocation the log group is located in. The information in the **Countries and regions** column in this table designates whether two-letter country codes must be appended to the data identifier to detect the appropriate keywords for those countries and regions.
| Type of data | Data identifier ID | Keyword required | Countries and regions | Notes |
| --- | --- | --- | --- | --- |
| Birth date | `DateOfBirth` | `dob`, `date of birth`, `birthdate`, `birth date`, `birthday`, `b-day`, `bday` | Any | Support includes most date formats, such as all digits and combinations of digits and names of months. Date components can be separated by spaces, slashes (/), or hyphens (‐). |
| Código de Endereçamento Postal (CEP) | `CepCode` | `cep`, `código de endereçamento postal`, `codigo de endereçamento postal` | Brazil | |
| Cadastro Nacional da Pessoa Jurídica (CNPJ) | `Cnpj` | `cadastro nacional da pessoa jurídica`, `cadastro nacional da pessoa juridica`, `cnpj` | Brazil | |
| Cadastro de Pessoas Físicas (CPF) | `CpfCode` | `Cadastro de pessoas fisicas`, `cadastro de pessoas físicas`, `cadastro de pessoa física`, `cadastro de pessoa fisica`, `cpf` | Brazil | |
| Driver’s license identification number | `DriversLicense` | Yes. Different keywords apply to different countries. For details, see the **Drivers license identification numbers** table later in this section. | Many countries. For details, see the **Drivers license identification numbers** table. | |
| Electoral roll number | `ElectoralRollNumber` | `electoral #`, `electoral number`, `electoral roll #`, `electoral roll no.`, `electoral roll number`, `electoralrollno` | United Kingdom | |
| Individual taxpayer identification | `IndividualTaxIdenticationNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Brazil, France, Germany, Spain, United Kingdom | |
| National Institute for Statistics and Economic Studies (INSEE) | `InseeCode` | Yes. Different keywords apply to different countries. For details, see the **Keywords for national identification numbers** table later in this section. | France | |
| National Identification Number | `NationalIdentificationNumber` | Yes. For details, see the **Keywords for national identification numbers** table later in this section. | Germany, Italy, Spain | This includes Documento Nacional de Identidad (DNI) identifiers (Spain), Codice fiscale codes (Italy), and National Identity Card numbers (German). |
| National Insurance Number (NINO) | `NationalInsuranceNumber` | insurance no., insurance number, insurance\$1, national insurance number, nationalinsurance\$1, nationalinsurancenumber, nin, nino | United Kingdom | – |
| Número de identidad de extranjero (NIE) | `NieNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Spain | |
| Número de Identificación Fiscal (NIF) | `NifNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Spain | |
| Passport number | `PassportNumber` | Yes. Different keywords apply to different countries. For details, see the **Keywords for passport numbers** table later in this section. | Canada, France, Germany, Italy, Spain, United Kingdom, United States | |
| Permanent residence number | `PermanentResidenceNumber` | carte résident permanent, numéro carte résident permanent, numéro résident permanent, permanent resident card, permanent resident card number, permanent resident no, permanent resident no., permanent resident number, pr no, pr no., pr non, pr number, résident permanent no., résident permanent non | Canada | |
| Phone number | `PhoneNumber` | Brazil: keywords also include: `cel`, `celular`, `fone`, `móvel`, `número residencial`, `numero residencial`, `telefone` Others: `cell`, `contact`, `fax`, `fax number`, `mobile`, `phone`, `phone number`, `tel`, `telephone`, `telephone number` | Brazil, Canada, France, Germany, Italy, Spain, United Kingdom, United States | This includes toll-free numbers in the United States and fax numbers. If a keyword is in proximity of the data, the number doesn’t have to include a country code. If a keyword isn’t in proximity of the data, the number has to include a country code. |
| Postal Code | `PostalCode` | None | Canada | |
| Registro Geral (RG) | `RgNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Brazil | |
| Social Insurance Number (SIN) | `SocialInsuranceNumber` | canadian id, numéro d'assurance sociale, social insurance number, sin | Canada | |
| Social Security Number (SSN) | `Ssn` | Spain – `número de la seguridad social`, `social security no.`, `social security no`. `número de la seguridad social`, `social security number`, `socialsecurityno#`, `ssn`, `ssn#` United States – `social security`, `ss#`, `ssn` | Spain, United States | |
| Taxpayer identification or reference number | `TaxId` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section.. | France, Germany, Spain, United Kingdom | This includes TIN (France); Steueridentifikationsnummer (Germany); CIF (Spain); and TRN, UTR (United Kingdom). |
| ZIP code | `ZipCode` | zip code, zip\$14 | United States | United States postal code. |
| Mailing address | `Address` | None | Australia, Canada, France, Germany, Italy, Spain, United Kingdom, United States | Although a keyword isn't required, detection requires the address to include the name of a city or place and a ZIP code or Postal Code. |
| Electronic mail address | `EmailAddress` | None | Any | |
| Global Positioning System (GPS) coordinates | `LatLong` | coordinate, coordinates, lat long, latitude longitude, location, position | Any | CloudWatch Logs can detect GPS coordinates if the latitude and longitude coordinates are stored as a pair and they're in Decimal Degrees (DD) format, for example, 41.948614,-87.655311. Support doesn't include coordinates in Degrees Decimal Minutes (DDM) format, for example 41°56.9168'N 87°39.3187'W, or Degrees, Minutes, Seconds (DMS) format, for example 41°56'55.0104"N 87°39'19.1196"W. |
| Full name | `Name` | None | Any | CloudWatch Logs can detect full names only. Support is limited to Latin character sets. |
| Vehicle Identification Number (VIN) | `VehicleIdentificationNumber` | Fahrgestellnummer, niv, numarul de identificare, numarul seriei de sasiu, serie sasiu, numer VIN, Número de Identificação do Veículo, Número de Identificación de Automóviles, numéro d'identification du véhicule, vehicle identification number, vin, VIN numeris | Any | CloudWatch Logs can detect VINs that consist of a 17-character sequence and adhere to the ISO 3779 and 3780 standards. These standards were designed for worldwide use. |
## Keywords for driver’s license identification numbers
To detect various types of driver’s license identification numbers, CloudWatch Logs requires a keyword to be in proximity of the numbers. The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Australia | dl\$1 dl:, dl :, dlno\$1 driver licence, driver license, driver permit, drivers lic., drivers licence, driver's licence, drivers license, driver's license, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit |
| Austria | führerschein, fuhrerschein, führerschein republik österreich, fuhrerschein republik osterreich |
| Belgium | fuehrerschein, fuehrerschein- nr, fuehrerscheinnummer, fuhrerschein, führerschein, fuhrerschein- nr, führerschein- nr, fuhrerscheinnummer, führerscheinnummer, numéro permis conduire, permis de conduire, rijbewijs, rijbewijsnummer |
| Bulgaria | превозно средство, свидетелство за управление на моторно, свидетелство за управление на мпс, сумпс, шофьорска книжка |
| Canada | dl\$1, dl:, dlno\$1, driver licence, driver licences, driver license, driver licenses, driver permit, drivers lic., drivers licence, driver's licence, drivers licences, driver's licences, drivers license, driver's license, drivers licenses, driver's licenses, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit, permis de conduire |
| Croatia | vozačka dozvola |
| Cyprus | άδεια οδήγησης |
| Czech Republic | číslo licence, císlo licence řidiče, číslo řidičského průkazu, ovladače lic., povolení k jízdě, povolení řidiče, řidiči povolení, řidičský prúkaz, řidičský průkaz |
| Denmark | kørekort, kørekortnummer |
| Estonia | juhi litsentsi number, juhiloa number, juhiluba, juhiluba number |
| Finland | ajokortin numero, ajokortti, förare lic., körkort, körkort nummer, kuljettaja lic., permis de conduire |
| France | permis de conduire |
| Germany | fuehrerschein, fuehrerschein- nr, fuehrerscheinnummer, fuhrerschein, führerschein, fuhrerschein- nr, führerschein- nr, fuhrerscheinnummer, führerscheinnummer |
| Greece | δεια οδήγησης, adeia odigisis |
| Hungary | illesztőprogramok lic, jogosítvány, jogsi, licencszám, vezető engedély, vezetői engedély |
| Ireland | ceadúnas tiomána |
| Italy | patente di guida, patente di guida numero, patente guida, patente guida numero |
| Latvia | autovadītāja apliecība, licences numurs, vadītāja apliecība, vadītāja apliecības numurs, vadītāja atļauja, vadītāja licences numurs, vadītāji lic. |
| Lithuania | vairuotojo pažymėjimas |
| Luxembourg | fahrerlaubnis, führerschäin |
| Malta | liċenzja tas-sewqan |
| Netherlands | permis de conduire, rijbewijs, rijbewijsnummer |
| Poland | numer licencyjny, prawo jazdy, zezwolenie na prowadzenie |
| Portugal | carta de condução, carteira de habilitação, carteira de motorist, carteira habilitação, carteira motorist, licença condução, licença de condução, número de licença, número licença, permissão condução, permissão de condução |
| Romania | numărul permisului de conducere, permis de conducere |
| Slovakia | číslo licencie, číslo vodičského preukazu, ovládače lic., povolenia vodičov, povolenie jazdu, povolenie na jazdu, povolenie vodiča, vodičský preukaz |
| Slovenia | vozniško dovoljenje |
| Spain | carnet conducer, el carnet de conducer, licencia conducer, licencia de manejo, número carnet conducer, número de carnet de conducer, número de permiso conducer, número de permiso de conducer, número licencia conducer, número permiso conducer, permiso conducción, permiso conducer, permiso de conducción |
| Sweden | ajokortin numero, dlno\$1 ajokortti, drivere lic., förare lic., körkort, körkort nummer, körkortsnummer, kuljettajat lic. |
| United Kingdom | dl\$1, dl:, dlno\$1, driver licence, driver licences, driver license, driver licenses, driver permit, drivers lic., drivers licence, driver's licence, drivers licences, driver's licences, drivers license, driver's license, drivers licenses, driver's licenses, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit |
| United States | dl\$1, dl:, dlno\$1, driver licence, driver licences, driver license, driver licenses, driver permit, drivers lic., drivers licence, driver's licence, drivers licences, driver's licences, drivers license, driver's license, drivers licenses, driver's licenses, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit |
## Keywords for national identification numbers
To detect various types of national identification numbers, CloudWatch Logs requires a keyword to be in close proximity to the numbers. This includes Documento Nacional de Identidad (DNI) identifiers (Spain), French National Institute for Statistics and Economic Studies (INSEE) codes, German National Identity Card numbers, and Registro Geral (RG) numbers (Brazil).
The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Brazil | registro geral, rg |
| France | assurance sociale, carte nationale d’identité, cni, code sécurité sociale, French social security number, fssn\$1, insee, insurance number, national id number, nationalid\$1, numéro d'assurance, sécurité sociale, sécurité sociale non., sécurité sociale numéro, social, social security, social security number, socialsecuritynumber, ss\$1, ssn, ssn\$1 |
| Germany | ausweisnummer, id number, identification number, identity number, insurance number, personal id, personalausweis |
| Italy | codice fiscal, dati anagrafici, ehic, health card, health insurance card, p. iva, partita i.v.a., personal data, tax code, tessera sanitaria |
| Spain | dni, dni\$1, dninúmero\$1, documento nacional de identidad, identidad único, identidadúnico\$1, insurance number, national identification number, national identity, nationalid\$1, nationalidno\$1, número nacional identidad, personal identification number, personal identity no, unique identity number, uniqueid\$1 |
## Keywords for passport numbers
To detect various types of passport numbers, CloudWatch Logs requires a keyword to be in proximity of the numbers. The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Canada | passeport, passeport\$1, passport, passport\$1, passportno, passportno\$1 |
| France | numéro de passeport, passeport, passeport\$1, passeport \$1, passeportn °, passeport n °, passeportNon, passeport non |
| Germany | ausstellungsdatum, ausstellungsort, geburtsdatum, passport, passports, reisepass, reisepass–nr, reisepassnummer |
| Italy | italian passport number, numéro passeport, numéro passeport italien, passaporto, passaporto italiana, passaporto numero, passport number, repubblica italiana passaporto |
| Spain | españa pasaporte, libreta pasaporte, número pasaporte, pasaporte, passport, passport book, passport no, passport number, spain passport |
| United Kingdom | passeport \$1, passeport n °, passeportNon, passeport non, passeportn °, passport \$1, passport no, passport number, passport\$1, passportid |
| United States | passport, travel document |
## Keywords for taxpayer identification and reference numbers
To detect various types of taxpayer identification and reference numbers, CloudWatch Logs requires a keyword to be in proximity of the numbers. The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Brazil | cadastro de pessoa física, cadastro de pessoa fisica, cadastro de pessoas físicas, cadastro de pessoas fisicas, cadastro nacional da pessoa jurídica, cadastro nacional da pessoa juridica, cnpj, cpf |
| France | numéro d'identification fiscale, tax id, tax identification number, tax number, tin, tin\$1 |
| Germany | identifikationsnummer, steuer id, steueridentifikationsnummer, steuernummer, tax id, tax identification number, tax number |
| Spain | cif, cif número, cifnúmero\$1, nie, nif, número de contribuyente, número de identidad de extranjero, número de identificación fiscal, número de impuesto corporativo, personal tax number, tax id, tax identification number, tax number, tin, tin\$1 |
| United Kingdom | paye, tax id, tax id no., tax id number, tax identification, tax identification\$1, tax no., tax number, tax reference, tax\$1, taxid\$1, temporary reference number, tin, trn, unique tax reference, unique taxpayer reference, utr |
| United States | individual taxpayer identification number, itin, i.t.i.n. |
## Data identifier ARNs for personally identifiable information (PII)
The following table lists the Amazon Resource Names (ARNs) for the personally identifiable information (PII) data identifiers that you can add to your data protection policies.
| PII data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/Address |
| arn:aws:dataprotection::aws:data-identifier/CepCode-BR |
| arn:aws:dataprotection::aws:data-identifier/Cnpj-BR |
| arn:aws:dataprotection::aws:data-identifier/CpfCode-BR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-AT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-AU |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-BE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-BG |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-CA |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-CY |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-CZ |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-DE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-DK |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-EE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-ES |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-FI |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-FR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-GB |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-GR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-HR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-HU |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-IE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-IT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-LT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-LU |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-LV |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-MT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-NL |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-PL |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-PT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-RO |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-SE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-SI |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-SK |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-US |
| arn:aws:dataprotection::aws:data-identifier/ElectoralRollNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/EmailAddress |
| arn:aws:dataprotection::aws:data-identifier/IndividualTaxIdentificationNumber-US |
| arn:aws:dataprotection::aws:data-identifier/InseeCode-FR |
| arn:aws:dataprotection::aws:data-identifier/LatLong |
| arn:aws:dataprotection::aws:data-identifier/Name |
| arn:aws:dataprotection::aws:data-identifier/NationalIdentificationNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/NationalIdentificationNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/NationalIdentificationNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/NieNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/NifNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-CA |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-US |
| arn:aws:dataprotection::aws:data-identifier/PermanentResidenceNumber-CA |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-BR |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-US |
| arn:aws:dataprotection::aws:data-identifier/PostalCode-CA |
| arn:aws:dataprotection::aws:data-identifier/RgNumber-BR |
| arn:aws:dataprotection::aws:data-identifier/SocialInsuranceNumber-CA |
| arn:aws:dataprotection::aws:data-identifier/Ssn-ES |
| arn:aws:dataprotection::aws:data-identifier/Ssn-US |
| arn:aws:dataprotection::aws:data-identifier/TaxId-DE |
| arn:aws:dataprotection::aws:data-identifier/TaxId-ES |
| arn:aws:dataprotection::aws:data-identifier/TaxId-FR |
| arn:aws:dataprotection::aws:data-identifier/TaxId-GB |
| arn:aws:dataprotection::aws:data-identifier/VehicleIdentificationNumber |
| arn:aws:dataprotection::aws:data-identifier/ZipCode-US |
# Custom data identifiers
**Topics**
+ [
## What are custom data identifiers?
](#what-are-custom-data-identifiers)
+ [
## Custom data identifier constraints
](#custom-data-identifiers-constraints)
+ [
## Using custom data identifiers in the console
](#using-custom-data-identifiers-console)
+ [
## Using custom data identifiers in your data protection policy
](#using-custom-data-identifiers)
## What are custom data identifiers?
Custom data identifiers (CDIs) let you define your own custom regular expressions that can be used in your data protection policy. Using custom data identifiers, you can target business-specific personally identifiable information (PII) use cases that [managed data identifiers](CWL-managed-data-identifiers.md) can't provide. For example, you can use a custom data identifier to look for company-specific employee IDs. Custom data identifiers can be used in conjunction with managed data identifiers.
## Custom data identifier constraints
CloudWatch Logs custom data identifiers have the following limitations:
+ A maximum of 10 custom data identifiers are supported for each data protection policy.
+ Custom data identifier names have a maximum length of 128 characters. The following characters are supported:
+ Alphanumeric: (a-zA-Z0-9)
+ Symbols: ( '\$1' \$1 '-' )
+ RegEx has a maximum length of 200 characters. The following characters are supported:
+ Alphanumeric: (a-zA-Z0-9)
+ Symbols: ( '\$1' \$1 '\$1' \$1 '=' \$1 '@' \$1'/' \$1 ';' \$1 ',' \$1 '-' \$1 ' ' )
+ RegEx reserved characters: ( '^' \$1 '\$1' \$1 '?' \$1 '[' \$1 ']' \$1 '\$1' \$1 '\$1' \$1 '\$1' \$1 '\$1\$1' \$1 '\$1' \$1 '\$1' \$1 '.' )
+ Custom data identifiers cannot share the same name as a managed data identifier.
+ Custom data identifiers can be specified within an account-level data protection policy or in log group-level data protection policies. Similar to managed data identifiers, custom data identifiers defined within an account-level policy work in combination with custom data identifiers defined in a log group-level policy.
## Using custom data identifiers in the console
When you use the CloudWatch console to create or edit a data protection policy, to specify a custom data identifier you just enter a name and regular expression for the data identifier. For example, you might enter **Employee\$1ID** for the name and **EmployeeID-\$1d\$19\$1** as the regular expression. This regular expression will detect and mask log events with nine numbers after `EmployeeID-`. For example, `EmployeeID-123456789`
## Using custom data identifiers in your data protection policy
If you are using the AWS CLI or AWS API to specify a custom data identifier, you need to include the data identifier name and regular expression in the JSON policy used to define the data protection policy. The following data protection policy detects and masks log events that carry company-specific employee IDs.
1. Create a `Configuration` block within your data protection policy.
1. Enter a `Name` for your custom data identifier. For example, **EmployeeId**.
1. Enter a `Regex` for your custom data identifier. For example, **EmployeeID-\$1d\$19\$1**. This regular expression will match log events containing `EmployeeID-` that have nine digits after `EmployeeID-`. For example, `EmployeeID-123456789`
1. Refer to the following custom data identifier in a policy statement.
```
{
"Name": "example_data_protection_policy",
"Description": "Example data protection policy with custom data identifiers",
"Version": "2021-06-01",
"Configuration": {
"CustomDataIdentifier": [
{"Name": "EmployeeId", "Regex": "EmployeeId-\\d{9}"}
]
},
"Statement": [
{
"Sid": "audit-policy",
"DataIdentifier": [
"EmployeeId"
],
"Operation": {
"Audit": {
"FindingsDestination": {
"S3": {
"Bucket": "EXISTING_BUCKET"
}
}
}
}
},
{
"Sid": "redact-policy",
"DataIdentifier": [
"EmployeeId"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
}
}
}
}
]
}
```
1. (Optional) Continue to add additional **custom data identifiers** to the `Configuration` block as needed. Data protection policies currently support a maximum of 10 custom data identifiers.