interface DataProtectionPolicyProps
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Logs.DataProtectionPolicyProps |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awslogs#DataProtectionPolicyProps |
 Java | software.amazon.awscdk.services.logs.DataProtectionPolicyProps |
 Python | aws_cdk.aws_logs.DataProtectionPolicyProps |
 TypeScript (source) | aws-cdk-lib » aws_logs » DataProtectionPolicyProps |
Properties for creating a data protection policy.
Example
import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose';
const logGroupDestination = new logs.LogGroup(this, 'LogGroupLambdaAudit', {
logGroupName: 'auditDestinationForCDK',
});
const bucket = new s3.Bucket(this, 'audit-bucket');
const s3Destination = new firehose.S3Bucket(bucket);
const deliveryStream = new firehose.DeliveryStream(this, 'Delivery Stream', {
destination: s3Destination,
});
const dataProtectionPolicy = new logs.DataProtectionPolicy({
name: 'data protection policy',
description: 'policy description',
identifiers: [
logs.DataIdentifier.DRIVERSLICENSE_US, // managed data identifier
new logs.DataIdentifier('EmailAddress'), // forward compatibility for new managed data identifiers
new logs.CustomDataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')], // custom data identifier
logGroupAuditDestination: logGroupDestination,
s3BucketAuditDestination: bucket,
deliveryStreamNameAuditDestination: deliveryStream.deliveryStreamName,
});
new logs.LogGroup(this, 'LogGroupLambda', {
logGroupName: 'cdkIntegLogGroup',
dataProtectionPolicy: dataProtectionPolicy,
});
Properties
| Name | Type | Description |
|---|---|---|
| identifiers | Data[] | List of data protection identifiers. |
| delivery | string | Amazon Data Firehose delivery stream to send audit findings to. |
| description? | string | Description of the data protection policy. |
| log | ILog | CloudWatch Logs log group to send audit findings to. |
| name? | string | Name of the data protection policy. |
| s3 | IBucket | S3 bucket to send audit findings to. |
identifiers
Type:
Data[]
List of data protection identifiers.
Managed data identifiers must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-managed-data-identifiers.html Custom data identifiers must have a valid regex defined: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html#custom-data-identifiers-constraints
deliveryStreamNameAuditDestination?
Type:
string
(optional, default: no firehose delivery stream audit destination)
Amazon Data Firehose delivery stream to send audit findings to.
The delivery stream must already exist.
description?
Type:
string
(optional, default: 'cdk generated data protection policy')
Description of the data protection policy.
logGroupAuditDestination?
Type:
ILog
(optional, default: no CloudWatch Logs audit destination)
CloudWatch Logs log group to send audit findings to.
The log group must already exist prior to creating the data protection policy.
name?
Type:
string
(optional, default: 'data-protection-policy-cdk')
Name of the data protection policy.
s3BucketAuditDestination?
Type:
IBucket
(optional, default: no S3 bucket audit destination)
S3 bucket to send audit findings to.
The bucket must already exist.