Check provider logo

CloudWatch log group contains no secrets in its log events

cloudwatch_log_group_no_secrets_in_logs

Severitymedium
Servicecloudwatch
by Prowler
secrets

CloudWatch Logs log groups are analyzed for potential secrets embedded in log events across their streams. Detection flags patterns resembling credentials (API keys, passwords, tokens, keys) and reports the secret types and where they appear within the log group.

Risk

Leaked credentials in logs erode confidentiality and enable unauthorized API calls. Attackers reusing tokens/keys can escalate privileges, alter resources, and exfiltrate data. Subscriptions and exports widen exposure, and users with logs:Unmask can reveal values, increasing the blast radius.

Run this check with Prowler CLI

prowler aws --checks cloudwatch_log_group_no_secrets_in_logs

Run in Prowler Cloud

Recommendation

Avoid logging secrets via application sanitization and data minimization. Apply CloudWatch data protection policies to audit and mask sensitive patterns. Enforce least privilege for log readers and restrict logs:Unmask. Rotate exposed keys, reduce retention, and monitor findings to validate controls.

Remediation

CLI

aws logs put-data-protection-policy --log-group-identifier <example_resource_name> --policy-document '{"Statement":[{"DataIdentifier":["arn:aws:dataprotection::aws:data-identifier/Credentials"],"Operation":{"Audit":{"FindingsDestination":{}}}},{"DataIdentifier":["arn:aws:dataprotection::aws:data-identifier/Credentials"],"Operation":{"Deidentify":{"MaskConfig":{}}}}]}'

Native IaC
Terraform
Other
  1. In AWS Console, go to CloudWatch > Logs > Log groups and open <example_resource_name>
  2. Select the Data protection tab and click Create policy
  3. Under Managed data identifiers, select Credentials (or AwsSecretKey if listed)
  4. Click Activate data protection to save
  5. Re-ingest or generate new logs to ensure sensitive data is masked

Source Code

Resource Type

Other

References