My Saved Presets
You must be logged in to view saved presets

Loading Library ...

CloudWatch Log Group Data Protection Policy

Creates a data protection policy for a CloudWatch Log Group to audit and deidentify sensitive data.

example

aws_cloudwatch_log_data_protection_policy



depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



example

aws_cloudwatch_log_data_protection_policy_document


statement

data_identifiers

operation
audit
findings_destination
cloudwatch_logs


firehose


s3



data_identifiers

operation
audit
findings_destination
cloudwatch_logs


firehose


s3





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



Terraform Template

data "aws_cloudwatch_log_data_protection_policy_document" "example" {
  name = "Example"

  statement {
    data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/EmailAddress", "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"]

    operation {

      audit {

        findings_destination {

          cloudwatch_logs {
            log_group = "aws_cloudwatch_log_group.audit.name"
          }

          firehose {
            delivery_stream = "aws_kinesis_firehose_delivery_stream.audit.name"
          }

          s3 {
            bucket = "aws_s3_bucket.audit.bucket"
          }
        }
      }
    }
    sid = "Audit"
  }

  statement {
    data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/EmailAddress", "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"]
    sid = "Deidentify"
  }
}

resource "aws_cloudwatch_log_data_protection_policy" "example" {
  log_group_name = "aws_cloudwatch_log_group.example.name"
  policy_document = data.aws_cloudwatch_log_data_protection_policy_document.example.json
}

© 2024 asecurecloud. All rights reserved.