# Help protect sensitive log data with masking
You can help safeguard sensitive data that's ingested by CloudWatch Logs by using log group *data protection policies*. These policies let you audit and mask sensitive data that appears in log events ingested by the log groups in your account.
When you create a data protection policy, then by default, sensitive data that matches the data identifiers you've selected is masked at all egress points, including CloudWatch Logs Insights, metric filters, and subscription filters. Only users who have the `logs:Unmask` IAM permission can view unmasked data.
You can create a data protection policy for all log groups in your account, and you can also create a data protection policies for individual log groups. When you create a policy for your entire account, it applies to both existing log groups and log groups that are created in the future.
If you create a data protection policy for your entire account and you also create a policy for a single log group, both policies apply to that log group. All managed data identifiers that are specified in either policy are audited and masked in that log group.
**Note**
Masking sensitive data is supported for log groups in both the Standard and Infrequent Access log classes. For more information about log classes, see [Log classes](CloudWatch_Logs_Log_Classes.md).
Each log group can have only one log group-level data protection policy, but that policy can specify many managed data identifiers to audit and mask. The limit for a data protection policy is 30,720 characters.
**Important**
Sensitive data is detected and masked when it is ingested into the log group. When you set a data protection policy, log events ingested to the log group before that time are not masked.
CloudWatch Logs supports many *managed data identifiers*, which offer preconfigured data types you can select to protect financial data, personal health information (PHI), and personally identifiable information (PII). CloudWatch Logs data protection allows you to leverage pattern matching and machine learning models to detect sensitive data. For some types of managed data identifiers, the detection depends on also finding certain keywords in proximity with the sensitive data. You can also use custom data identifiers to create data identifiers tailored to your specific use case.
A metric is emitted to CloudWatch when sensitive data is detected that matches the data identifiers you select. This is the **LogEventsWithFindings** metric and it is emitted in the **AWS/Logs** namespace. You can use this metric to create CloudWatch alarms, and you can visualize it in graphs and dashboards. Metrics emitted by data protection are vended metrics and are free of charge. For more information about metrics that CloudWatch Logs sends to CloudWatch, see [Monitoring with CloudWatch metrics](CloudWatch-Logs-Monitoring-CloudWatch-Metrics.md).
Each managed data identifier is designed to detect a specific type of sensitive data, such as credit card numbers, AWS secret access keys, or passport numbers for a particular country or region. When you create a data protection policy, you can configure it to use these identifiers to analyze logs ingested by the log group, and take actions when they are detected.
CloudWatch Logs data protection can detect the following categories of sensitive data by using managed data identifiers:
+ Credentials, such as private keys or AWS secret access keys
+ Financial information, such as credit card numbers
+ Personally Identifiable Information (PII) such as driver’s licenses or social security numbers
+ Protected Health Information (PHI) such as health insurance or medical identification numbers
+ Device identifiers, such as IP addresses or MAC addresses
For details about the types of data that you can protect, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
**Contents**
+ [Understanding data protection policies](cloudwatch-logs-data-protection-policies.md)
+ [What are data protection policies?](cloudwatch-logs-data-protection-policies.md#what-are-data-protection-policies)
+ [How is the data protection policy structured?](cloudwatch-logs-data-protection-policies.md#overview-of-data-protection-policies)
+ [JSON properties for the data protection policy](cloudwatch-logs-data-protection-policies.md#data-protection-policy-json-properties)
+ [JSON properties for a policy statement](cloudwatch-logs-data-protection-policies.md#policy-statement-json-properties)
+ [JSON properties for a policy statement operation](cloudwatch-logs-data-protection-policies.md#statement-operation-json-properties)
+ [IAM permissions required to create or work with a data protection policy](data-protection-policy-permissions.md)
+ [Permissions required for account-level data protection policies](data-protection-policy-permissions.md#data-protection-policy-permissions-accountlevel)
+ [Permissions required for data protection policies for a single log group](data-protection-policy-permissions.md#data-protection-policy-permissions-loggroup)
+ [Sample data protection policy](data-protection-policy-permissions.md#data-protection-policy-sample)
+ [Create an account-wide data protection policy](mask-sensitive-log-data-accountlevel.md)
+ [Console](mask-sensitive-log-data-accountlevel.md#mask-sensitive-log-data-accountlevel-console)
+ [AWS CLI](mask-sensitive-log-data-accountlevel.md#mask-sensitive-log-data-accountlevel-cli)
+ [Data protection policy syntax for AWS CLI or API operations](mask-sensitive-log-data-accountlevel.md#mask-sensitive-log-data-policysyntax-account)
+ [Create a data protection policy for a single log group](mask-sensitive-log-data-start.md)
+ [Console](mask-sensitive-log-data-start.md#mask-sensitive-log-data-start-console)
+ [AWS CLI](mask-sensitive-log-data-start.md#mask-sensitive-log-data-start-cli)
+ [Data protection policy syntax for AWS CLI or API operations](mask-sensitive-log-data-start.md#mask-sensitive-log-data-policysyntax)
+ [View unmasked data](mask-sensitive-log-data-viewunmasked.md)
+ [Audit findings reports](mask-sensitive-log-data-audit-findings.md)
+ [Required key policy to send audit findings to an bucket protected by AWS KMS](mask-sensitive-log-data-audit-findings.md#mask-sensitive-log-data-audit-findings-kms)
+ [Types of data that you can protect](protect-sensitive-log-data-types.md)
+ [CloudWatch Logs managed data identifiers for sensitive data types](CWL-managed-data-identifiers.md)
+ [Credentials](protect-sensitive-log-data-types-credentials.md)
+ [Data identifier ARNs for credential data types](protect-sensitive-log-data-types-credentials.md#cwl-data-protection-credentials-arns)
+ [Device identifiers](protect-sensitive-log-data-types-device.md)
+ [Data identifier ARNs for device data types](protect-sensitive-log-data-types-device.md#cwl-data-protection-devices-arns)
+ [Financial information](protect-sensitive-log-data-types-financial.md)
+ [Data identifier ARNs for financial data types](protect-sensitive-log-data-types-financial.md#cwl-data-protection-financial-arns)
+ [Protected health information (PHI)](protect-sensitive-log-data-types-health.md)
+ [Data identifier ARNs for protected health information data types (PHI)](protect-sensitive-log-data-types-health.md#cwl-data-protection-phi-arns)
+ [Personally identifiable information (PII)](protect-sensitive-log-data-types-pii.md)
+ [Keywords for driver’s license identification numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-dl-keywords)
+ [Keywords for national identification numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-natlid-keywords)
+ [Keywords for passport numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-passport-keywords)
+ [Keywords for taxpayer identification and reference numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-financial-tin-keywords)
+ [Data identifier ARNs for personally identifiable information (PII)](protect-sensitive-log-data-types-pii.md#CWL-data-protection-pii-arns)
+ [Custom data identifiers](CWL-custom-data-identifiers.md)
+ [What are custom data identifiers?](CWL-custom-data-identifiers.md#what-are-custom-data-identifiers)
+ [Custom data identifier constraints](CWL-custom-data-identifiers.md#custom-data-identifiers-constraints)
+ [Using custom data identifiers in the console](CWL-custom-data-identifiers.md#using-custom-data-identifiers-console)
+ [Using custom data identifiers in your data protection policy](CWL-custom-data-identifiers.md#using-custom-data-identifiers)
# Understanding data protection policies
**Topics**
+ [What are data protection policies?](#what-are-data-protection-policies)
+ [How is the data protection policy structured?](#overview-of-data-protection-policies)
## What are data protection policies?
CloudWatch Logs uses **data protection policies** to select the sensitive data for which you want to scan, and the actions that you want to take to protect that data. To select the sensitive data of interest, you use [data identifiers](CWL-managed-data-identifiers.md). CloudWatch Logs data protection then detects the sensitive data by using machine learning and pattern matching. To act upon data identifiers that are found, you can define **audit** and **de-identify** operations. These operations let you log the sensitive data that is found (or not found), and to mask the sensitive data when the log events are viewed.
## How is the data protection policy structured?
As illustrated in the following figure, a data protection policy document includes the following elements:
+ Optional policy-wide information at the top of the document
+ One statement that defines the audit and de-identify actions
Only one data protection policy can be defined per CloudWatch Logs log group. The data protection policy can have one or more deny or de-identify statements, but only one audit statement.
### JSON properties for the data protection policy
A data protection policy requires the following basic policy information for identification:
+ **Name** – The policy name.
+ **Description** (Optional) – The policy description.
+ **Version** – The policy language version. The current version is 2021-06-01.
+ **Statement** – A list of statements that specifies data protection policy actions.
```
{
"Name": "CloudWatchLogs-PersonalInformation-Protection",
"Description": "Protect basic types of sensitive data",
"Version": "2021-06-01",
"Statement": [
...
]
}
```
### JSON properties for a policy statement
A policy statement sets the detection context for the data protection operation.
+ **Sid** (Optional) – The statement identifier.
+ **DataIdentifier** – The sensitive data for which CloudWatch Logs should scan. For example, name, address, or phone number.
+ **Operation** – The follow-on actions, either **Audit** or **De-identify**. CloudWatch Logs performs these actions when it finds sensitive data.
```
{
...
"Statement": [
{
"Sid": "audit-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/Address"
],
"Operation": {
"Audit": {
"FindingsDestination": {}
}
}
},
```
### JSON properties for a policy statement operation
A policy statement sets one of the following data protection operations.
+ **Audit** – Emits metrics and findings reports without interrupting logging. Strings that match increment the **LogEventsWithFindings** metric that CloudWatch Logs publishes to the **AWS/Logs** namespace in CloudWatch. You can use these metrics to create alarms.
For an example of a findings report, see [Audit findings reports](mask-sensitive-log-data-audit-findings.md).
For more information about metrics that CloudWatch Logs sends to CloudWatch, see [Monitoring with CloudWatch metrics](CloudWatch-Logs-Monitoring-CloudWatch-Metrics.md).
+ **De-identify** – Mask the sensitive data without interrupting logging.
# IAM permissions required to create or work with a data protection policy
To be able to work with data protection policies for log groups, you must have certain permissions as shown in the following tables. The permissions are different for account-wide data protection policies and for data protection policies that apply to a single log group.
## Permissions required for account-level data protection policies
**Note**
If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/data-protection-policy-permissions.html)
If any data protection audit logs are already being sent to a destination, then other policies that send logs to the same destination only need the `logs:PutDataProtectionPolicy` and `logs:CreateLogDelivery` permissions.
## Permissions required for data protection policies for a single log group
**Note**
If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.
| Operation | IAM permission needed | Resource |
| --- | --- | --- |
| Create a data protection policy with no audit destinations | `logs:PutDataProtectionPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
| Create a data protection policy with CloudWatch Logs as an audit destination | `logs:PutDataProtectionPolicy` `logs:CreateLogDelivery` `logs:PutResourcePolicy` `logs:DescribeResourcePolicies` `logs:DescribeLogGroups` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` `*` `*` `*` `*` |
| Create a data protection policy with Firehose as an audit destination | `logs:PutDataProtectionPolicy` `logs:CreateLogDelivery` `firehose:TagDeliveryStream` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` `*` `arn:aws:logs:::deliverystream/YOUR_DELIVERY_STREAM` |
| Create a data protection policy with Amazon S3 as an audit destination | `logs:PutDataProtectionPolicy` `logs:CreateLogDelivery` `s3:GetBucketPolicy` `s3:PutBucketPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` `*` `arn:aws:s3:::YOUR_BUCKET` `arn:aws:s3:::YOUR_BUCKET` |
| Unmask masked log events | `logs:Unmask` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
| View an existing data protection policy | `logs:GetDataProtectionPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
| Delete a data protection policy | `logs:DeleteDataProtectionPolicy` | `arn:aws:logs:::log-group:YOUR_LOG_GROUP:*` |
If any data protection audit logs are already being sent to a destination, then other policies that send logs to the same destination only need the `logs:PutDataProtectionPolicy` and `logs:CreateLogDelivery` permissions.
## Sample data protection policy
The following sample policy allows a user to create, view, and delete data protection policies that can sending audit findings to all three types of audit destinations. It does not permit the user to view unmasked data.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowLogDeliveryConfiguration",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:DescribeResourcePolicies"
],
"Resource": "*"
},
{
"Sid": "AllowDataProtectionAndBucketConfiguration",
"Effect": "Allow",
"Action": [
"logs:GetDataProtectionPolicy",
"logs:DeleteDataProtectionPolicy",
"logs:PutDataProtectionPolicy",
"s3:PutBucketPolicy",
"firehose:TagDeliveryStream",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:firehose:us-east-1:111122223333:deliverystream/delivery-stream-name",
"arn:aws:s3:::amzn-s3-demo-destination-bucket",
"arn:aws:logs:us-east-1:111122223333:log-group:log-group-name:*"
]
}
]
}
```
------
# Create an account-wide data protection policy
You can use the CloudWatch Logs console or AWS CLI commands to create a data protection policy to mask sensitive data for all log groups in your account. Doing so affects both current log groups and log groups that you create in the future.
**Important**
Sensitive data is detected and masked when it is ingested into the log group. When you set a data protection policy, log events ingested to the log group before that time are not masked.
**Topics**
+ [Console](#mask-sensitive-log-data-accountlevel-console)
+ [AWS CLI](#mask-sensitive-log-data-accountlevel-cli)
## Console
**To use the console to create an account-wide data protection policy**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Settings**. It is located near the bottom of the list.
1. Choose the **Logs** tab.
1. Choose **Configure**.
1. For **Managed data identifiers**, select the types of data that you want to audit and mask for all of your log groups. You can type in the selection box to find the identifiers that you want.
We recommend that you select only the data identifiers that are relevant for your log data and your business. Choosing many types of data can lead to false positives.
For details about which types of data that you can protect, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
1. (Optional) If you want to audit and mask other types of data by using custom data identifiers, choose **Add custom data identifier**. Then enter a name for the data type and the regular expression to use to search for that type of data in the log events. For more information, see [Custom data identifiers](CWL-custom-data-identifiers.md).
A single data protection policy can include up to 10 custom data identifiers. Each regular expression that defines a custom data identifier must be 200 characters or fewer.
1. (Optional) Choose one or more services to send the audit findings to. Even if you choose not to send audit findings to any of these services, the sensitive data types that you select will still be masked.
1. Choose **Activate data protection**.
## AWS CLI
**To use the AWS CLI to create a data protection policy**
1. Use a text editor to create a policy file named `DataProtectionPolicy.json`. For information about the policy syntax, see the following section.
1. Enter the following command:
```
aws logs put-account-policy \
--policy-name TEST_POLICY --policy-type "DATA_PROTECTION_POLICY" \
--policy-document file://policy.json \
--scope "ALL" \
--region us-west-2
```
### Data protection policy syntax for AWS CLI or API operations
When you create a JSON data protection policy to use in an AWS CLI command or API operation, the policy must include two JSON blocks:
+ The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
The `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings reports to. If you specify destinations such as log groups, Amazon Data Firehose streams, and S3 buckets, they must already exist. For an example of an audit findins report, see [Audit findings reports](mask-sensitive-log-data-audit-findings.md).
+ The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.
The `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the ` "MaskConfig": {}` object. The ` "MaskConfig": {}` object must be empty.
The following is an example of a data protection policy using only managed data identifiers. This policy masks email addresses and United States driver's licenses.
For information about policies that specify custom data identifiers, see [Using custom data identifiers in your data protection policy](CWL-custom-data-identifiers.md#using-custom-data-identifiers).
```
{
"Name": "data-protection-policy",
"Description": "test description",
"Version": "2021-06-01",
"Statement": [{
"Sid": "audit-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Audit": {
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "EXISTING_LOG_GROUP_IN_YOUR_ACCOUNT,"
},
"Firehose": {
"DeliveryStream": "EXISTING_STREAM_IN_YOUR_ACCOUNT"
},
"S3": {
"Bucket": "EXISTING_BUCKET"
}
}
}
}
},
{
"Sid": "redact-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Deidentify": {
"MaskConfig": {}
}
}
}
]
}
```
# Create a data protection policy for a single log group
You can use the CloudWatch Logs console or AWS CLI commands to create a data protection policy to mask sensitive data.
You can assign one data protection policy to each log group. Each data protection policy can audit for multiple types of information. Each data protection policy can include one audit statement.
**Topics**
+ [Console](#mask-sensitive-log-data-start-console)
+ [AWS CLI](#mask-sensitive-log-data-start-cli)
## Console
**To use the console to create a data protection policy**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Logs**, **Log groups**.
1. Choose the name of the log group.
1. Choose **Actions**, **Create data protection policy**.
1. For **Managed data identifiers**, select the types of data that you want to audit and mask in this log group. You can type in the selection box to find the identifiers that you want.
We recommend that you select only the data identifiers that are relevant for your log data and your business. Choosing many types of data can lead to false positives.
For details about which types of data that you can protect by using managed data identifiers, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
1. (Optional) If you want to audit and mask other types of data by using custom data identifiers, choose **Add custom data identifier**. Then enter a name for the data type and the regular expression to use to search for that type of data in the log events. For more information, see [Custom data identifiers](CWL-custom-data-identifiers.md).
A single data protection policy can include up to 10 custom data identifiers. Each regular expression that defines a custom data identifier must be 200 characters or fewer.
1. (Optional) Choose one or more services to send the audit findings to. Even if you choose not to send audit findings to any of these services, the sensitive data types that you select will still be masked.
1. Choose **Activate data protection**.
## AWS CLI
**To use the AWS CLI to create a data protection policy**
1. Use a text editor to create a policy file named `DataProtectionPolicy.json`. For information about the policy syntax, see the following section.
1. Enter the following command:
```
aws logs put-data-protection-policy --log-group-identifier "my-log-group" --policy-document file:///Path/DataProtectionPolicy.json --region us-west-2
```
### Data protection policy syntax for AWS CLI or API operations
When you create a JSON data protection policy to use in an AWS CLI command or API operation, the policy must include two JSON blocks:
+ The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can protect](protect-sensitive-log-data-types.md).
The `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings reports to. If you specify destinations such as log groups, Amazon Data Firehose streams, and S3 buckets, they must already exist. For an example of an audit findins report, see [Audit findings reports](mask-sensitive-log-data-audit-findings.md).
+ The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.
The `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the ` "MaskConfig": {}` object. The ` "MaskConfig": {}` object must be empty.
The following is an example of a data protection policy that masks email addresses and United States driver's licenses.
```
{
"Name": "data-protection-policy",
"Description": "test description",
"Version": "2021-06-01",
"Statement": [{
"Sid": "audit-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Audit": {
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "EXISTING_LOG_GROUP_IN_YOUR_ACCOUNT,"
},
"Firehose": {
"DeliveryStream": "EXISTING_STREAM_IN_YOUR_ACCOUNT"
},
"S3": {
"Bucket": "EXISTING_BUCKET"
}
}
}
}
},
{
"Sid": "redact-policy",
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation": {
"Deidentify": {
"MaskConfig": {}
}
}
}
]
}
```
# View unmasked data
To view unmasked data, a user must have the `logs:Unmask` permission. Users with this permission can see the unmasked data in the following ways:
+ When viewing the events in a log stream, choose **Display**, **Unmask**.
+ Use a CloudWatch Logs Insights query that includes the **unmask(@message)** command. The following example query displays the 20 most recent log events in the stream, unmasked:
```
fields @timestamp, @message, unmask(@message)
| sort @timestamp desc
| limit 20
```
For more information about CloudWatch Logs Insights commands, see [CloudWatch Logs Insights language query syntax](CWL_QuerySyntax.md).
+ Use a [ GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [ FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter.
The **CloudWatchLogsFullAccess** policy includes the `logs:Unmask` permission. To grant `logs:Unmask` to a user who does not have **CloudWatchLogsFullAccess**, you can attach a custom IAM policy to that user. For more information, see [ Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console).
# Audit findings reports
If you set up CloudWatch Logs data protection audit policies to write audit reports to CloudWatch Logs, Amazon S3, or Firehose, these findings reports are similar to the following example. CloudWatch Logs writes one findings report for each log event that contains sensitive data.
```
{
"auditTimestamp": "2023-01-23T21:11:20Z",
"resourceArn": "arn:aws:logs:us-west-2:111122223333:log-group:/aws/lambda/MyLogGroup:*",
"dataIdentifiers": [
{
"name": "EmailAddress",
"count": 2,
"detections": [
{
"start": 13,
"end": 26
},
{
"start": 30,
"end": 43
}
]
}
]
}
```
The fields in the report are as follows:
+ The `resourceArn` field displays the log group where the sensitive data was found.
+ The `dataIdentifiers` object displays information about the findings for one type of senssitive data that you are auditing.
+ The `name` field identifies which type of sensitive data this section is reporting about.
+ The `count` field displays the number of times this type of sensitive data appears in the log event.
+ The `start` and `end` fields show where in the log event, by character count, each occurrence of the sensitive data appears.
The previous example shows a report of finding two email addresses in one log event. The first email address starts at the 13th character of the log event and ends at the 26th character. The second email address runs from the 30th character to the 43rd character. Even though this log event has two email addresses, the value of the `LogEventsWithFindings` metric is incremented only by one, because that metric counts the number of log events that contain sensitive data, not the number of occurrences of sensitive data.
## Required key policy to send audit findings to an bucket protected by AWS KMS
You can protect the data in an Amazon S3 bucket by enabling either Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) or Server-Side Encryption with KMS Keys (SSE-KMS). For more information, see [ Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the Amazon S3 User Guide.
If you send audit findings to a bucket that is protected with SSE-S3, no additional configuration is required. Amazon S3 handles the encryption key.
If you send audit findings to a bucket that is protected with SSE-KMS, you must update the key policy for your KMS key so that the log delivery account can write to your S3 bucket. For more information about the required key policy for use with SSE-KMS, see [Amazon S3 bucket server-side encryption](AWS-logs-infrastructure-S3.md#AWS-logs-SSE-KMS-S3) in the Amazon CloudWatch Logs User Guide.
# Types of data that you can protect
This section contains information about the types of data that you can protect in a CloudWatch Logs data protection policy. CloudWatch Logs managed data identifiers offer preconfigured data types for protecting financial data, personal health information (PHI), and personally identifiable information (PII). You can also use custom data identifiers to create data identifiers tailored to your specific use case.
**Contents**
+ [CloudWatch Logs managed data identifiers for sensitive data types](CWL-managed-data-identifiers.md)
+ [Credentials](protect-sensitive-log-data-types-credentials.md)
+ [Data identifier ARNs for credential data types](protect-sensitive-log-data-types-credentials.md#cwl-data-protection-credentials-arns)
+ [Device identifiers](protect-sensitive-log-data-types-device.md)
+ [Data identifier ARNs for device data types](protect-sensitive-log-data-types-device.md#cwl-data-protection-devices-arns)
+ [Financial information](protect-sensitive-log-data-types-financial.md)
+ [Data identifier ARNs for financial data types](protect-sensitive-log-data-types-financial.md#cwl-data-protection-financial-arns)
+ [Protected health information (PHI)](protect-sensitive-log-data-types-health.md)
+ [Data identifier ARNs for protected health information data types (PHI)](protect-sensitive-log-data-types-health.md#cwl-data-protection-phi-arns)
+ [Personally identifiable information (PII)](protect-sensitive-log-data-types-pii.md)
+ [Keywords for driver’s license identification numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-dl-keywords)
+ [Keywords for national identification numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-natlid-keywords)
+ [Keywords for passport numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-pii-passport-keywords)
+ [Keywords for taxpayer identification and reference numbers](protect-sensitive-log-data-types-pii.md#CWL-managed-data-identifiers-financial-tin-keywords)
+ [Data identifier ARNs for personally identifiable information (PII)](protect-sensitive-log-data-types-pii.md#CWL-data-protection-pii-arns)
+ [Custom data identifiers](CWL-custom-data-identifiers.md)
+ [What are custom data identifiers?](CWL-custom-data-identifiers.md#what-are-custom-data-identifiers)
+ [Custom data identifier constraints](CWL-custom-data-identifiers.md#custom-data-identifiers-constraints)
+ [Using custom data identifiers in the console](CWL-custom-data-identifiers.md#using-custom-data-identifiers-console)
+ [Using custom data identifiers in your data protection policy](CWL-custom-data-identifiers.md#using-custom-data-identifiers)
# CloudWatch Logs managed data identifiers for sensitive data types
This section contains information about the types of data that you can protect using managed data identifiers, and which countries and regions are relevant for each of those types of data.
For some types of sensitive data, CloudWatch Logs data protection scans for keywords in the proximity of the data, and finds a match only if it finds that keyword. If a keyword has to be in proximity of a particular type of data, the keyword typically has to be within 30 characters (inclusively) of the data.
If a keyword contains a space, CloudWatch Logs data protection automatically matches keyword variations that are missing the space or that contain an underscore (`_`) or hyphen (`-`) instead of the space. In some cases, CloudWatch Logs also expands or abbreviates a keyword to address common variations of the keyword.
The following tables lists the types of credential, device, financial, medical, and protected health information (PHI) that CloudWatch Logs can detect using managed data identifiers. These are in addition to certain types of data that might also qualify as personally identifiable information (PII).
**Supported identifiers that are language and region independent**
| Identifier | Category |
| --- | --- |
| `Address` | Personal |
| `AwsSecretKey` | Credentials |
| `CreditCardExpiration` | Financial |
| `CreditCardNumber` | Financial |
| `CreditCardSecurityCode` | Financial |
| `EmailAddress` | Personal |
| `IpAddress` | Personal |
| `LatLong` | Personal |
| `Name` | Personal |
| `OpenSshPrivateKey` | Credentials |
| `PgpPrivateKey` | Credentials |
| `PkcsPrivateKey` | Credentials |
| `PuttyPrivateKey` | Credentials |
| `VehicleIdentificationNumber` | Personal |
Region-dependent data identifiers must include the identifier name, then a hyphen, and then the two-letter (ISO 3166-1 alpha-2) codes. For example, `DriversLicense-US`.
**Supported identifiers that must include a two-letter country or region code**
| Identifier | Category | Countries and languages |
| --- | --- | --- |
| BankAccountNumber | Financial | DE, ES, FR, GB, IT, US |
| CepCode | Personal | BR |
| Cnpj | Personal | BR |
| CpfCode | Personal | BR |
| DriversLicense | Personal | AT, AU, BE, BG, CA, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HR, HU, IE, IT, LT, LU, LV, MT, NL, PL, PT, RO, SE, SI, SK, US |
| DrugEnforcementAgencyNumber | Health | US |
| ElectoralRollNumber | Personal | GB |
| HealthInsuranceCardNumber | Health | EU |
| HealthInsuranceClaimNumber | Health | US |
| HealthInsuranceNumber | Health | FR |
| HealthcareProcedureCode | Health | US |
| IndividualTaxIdentificationNumber | Personal | US |
| InseeCode | Personal | FR |
| MedicareBeneficiaryNumber | Health | US |
| NationalDrugCode | Health | US |
| NationalIdentificationNumber | Personal | DE, ES, IT |
| NationalInsuranceNumber | Personal | GB |
| NationalProviderId | Health | US |
| NhsNumber | Health | GB |
| NieNumber | Personal | ES |
| NifNumber | Personal | ES |
| PassportNumber | Personal | CA, DE, ES, FR, GB, IT, US |
| PermanentResidenceNumber | Personal | CA |
| PersonalHealthNumber | Health | CA |
| PhoneNumber | Personal | BR, DE, ES, FR, GB, IT, US |
| PostalCode | Personal | CA |
| RgNumber | Personal | BR |
| SocialInsuranceNumber | Personal | CA |
| Ssn | Personal | ES, US |
| TaxId | Personal | DE, ES, FR, GB |
| ZipCode | Personal | US |
# Credentials
CloudWatch Logs data protection can find the following types of credentials.
| Type of data | Data identifier ID | Keyword required | Countries and regions |
| --- | --- | --- | --- |
| AWS secret access key | `AwsSecretKey` | `aws_secret_access_key`, `credentials`, `secret access key`, `secret key`, `set-awscredential` | All |
| OpenSSH private key | `OpenSSHPrivateKey` | None | All |
| PGP private key | `PgpPrivateKey` | None | All |
| Pkcs Private Key | `PkcsPrivateKey` | None | All |
| PuTTY private key | `PuttyPrivateKey` | None | All |
## Data identifier ARNs for credential data types
The following lists the Amazon Resource Names (ARNs) for the data identifiers that you can add to your data protection policies.
| Credential data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/AwsSecretKey |
| arn:aws:dataprotection::aws:data-identifier/OpenSshPrivateKey |
| arn:aws:dataprotection::aws:data-identifier/PgpPrivateKey |
| arn:aws:dataprotection::aws:data-identifier/PkcsPrivateKey |
| arn:aws:dataprotection::aws:data-identifier/PuttyPrivateKey |
# Device identifiers
CloudWatch Logs data protection can find the following types of device identifiers.
| Type of data | Data identifier ID | Keyword required | Countries and regions |
| --- | --- | --- | --- |
| IP address | `IpAddress` | None | All |
## Data identifier ARNs for device data types
The following lists the Amazon Resource Names (ARNs) for the data identifiers that you can add to your data protection policies.
| Device data identifier ARN |
| --- |
| arn:aws:dataprotection::aws:data-identifier/IpAddress |
# Financial information
CloudWatch Logs data protection can find the following types of financial information.
If you set a data protection policy, CloudWatch Logs scans for the data identifiers that you specify no matter what geolocation the log group is located in. The information in the **Countries and regions** column in this table designates whether two-letter country codes must be appended to the data identifier to detect the appropriate keywords for those countries and regions.
| Type of data | Data identifier ID | Keyword required | Countries and regions | Notes |
| --- | --- | --- | --- | --- |
| Bank account number | `BankAccountNumber` | Yes. Different keywords apply to different countries. For details, see the **Keywords for bank account numbers** table later in this section. | France, Germany, Italy, Spain, United Kingdom, United States | Includes International Bank Account Numbers (IBANs) that consist of up to 34 alphanumeric characters, including elements such as country codes. |
| Credit card expiration date | `CreditCardExpiration` | `exp d`, `exp m`, `exp y`, `expiration`, `expiry` | All | |
| Credit card number | `CreditCardNumber` | `account number`, `american express`, `amex`, `bank card`, `card`, `card number`, `card num`, `cc #`, `ccn`, `check card`, `credit`, `credit card#`, `dankort`, `debit`, `debit card`, `diners club`, `discover`, `electron`, `japanese card bureau`, `jcb`, `mastercard`, `mc`, `pan`, `payment account number`, `payment card number`, `pcn`, `union pay`, `visa` | All | Detection requires the data to be a 13–19 digit sequence that adheres to the Luhn check formula, and uses a standard card number prefix for any of the following types of credit cards: American Express, Dankort, Diner’s Club, Discover, Electron, Japanese Card Bureau (JCB), Mastercard, UnionPay, and Visa. |
| Credit card verification code | `CreditCardSecurityCode` | `card id`, `card identification code`, `card identification number`, `card security code`, `card validation code`, `card validation number`, `card verification data`, `card verification value`, `cvc`, `cvc2`, `cvv`, `cvv2`, `elo verification code` | All | |
**Keywords for bank account numbers**
Use the following keywords to bank account numbers. This includes International Bank Account Numbers (IBANs) that consist of up to 34 alphanumeric characters, including elements such as country codes.
| Country | Keywords |
| --- | --- |
| France | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `code bancaire`, `compte bancaire`, `customer account id`, `customer account number`, `customer bank account id`, `iban`, `numéro de compte` |
| Germany | `account code`, `account number`, `accountno#`, `accountnumber#`, `bankleitzahl`, `bban`, `customer account id`, `customer account number`, `customer bank account id`, `geheimzahl`, `iban`, `kartennummer`, `kontonummer`, `kreditkartennummer`, `sepa` |
| Italy | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `codice bancario`, `conto bancario`, `customer account id`, `customer account number`, `customer bank account id`, `iban`, `numero di conto` |
| Spain | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `código cuenta`, `código cuenta bancaria`, `cuenta cliente id`, `customer account ID`, `customer account number`, `customer bank account id`, `iban`, `número cuenta bancaria cliente`, `número cuenta cliente` |
| United Kingdom | `account code`, `account number`, `accountno#`, `accountnumber#`, `bban`, `customer account ID`, `customer account number`, `customer bank account id`, `iban`, `sepa` |
| United States | `bank account`, `bank acct`, `checking account`, `checking acct`, `deposit account`, `deposit acct`, `savings account`, `savings acct`, `chequing account`, `chequing acct` |
CloudWatch Logs doesn't report occurrences of the following sequences, which credit card issuers have reserved for public testing.
```
122000000000003, 2222405343248877, 2222990905257051, 2223007648726984, 2223577120017656,
30569309025904, 34343434343434, 3528000700000000, 3530111333300000, 3566002020360505, 36148900647913,
36700102000000, 371449635398431, 378282246310005, 378734493671000, 38520000023237, 4012888888881881,
4111111111111111, 4222222222222, 4444333322221111, 4462030000000000, 4484070000000000, 4911830000000,
4917300800000000, 4917610000000000, 4917610000000000003, 5019717010103742, 5105105105105100,
5111010030175156, 5185540810000019, 5200828282828210, 5204230080000017, 5204740009900014, 5420923878724339,
5454545454545454, 5455330760000018, 5506900490000436, 5506900490000444, 5506900510000234, 5506920809243667,
5506922400634930, 5506927427317625, 5553042241984105, 5555553753048194, 5555555555554444, 5610591081018250,
6011000990139424, 6011000400000000, 6011111111111117, 630490017740292441, 630495060000000000,
6331101999990016, 6759649826438453, 6799990100000000019, and 76009244561.
```
## Data identifier ARNs for financial data types
The following lists the Amazon Resource Names (ARNs) for the data identifiers that you can add to your data protection policies.
| Financial data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/BankAccountNumber-US |
| arn:aws:dataprotection::aws:data-identifier/CreditCardExpiration |
| arn:aws:dataprotection::aws:data-identifier/CreditCardNumber |
| arn:aws:dataprotection::aws:data-identifier/CreditCardSecurityCode |
# Protected health information (PHI)
CloudWatch Logs data protection can find the following types of protected health information (PHI).
If you set a data protection policy, CloudWatch Logs scans for the data identifiers that you specify no matter what geolocation the log group is located in. The information in the **Countries and regions** column in this table designates whether two-letter country codes must be appended to the data identifier to detect the appropriate keywords for those countries and regions.
| Type of data | Data identifier ID | Keyword required | Countries and regions |
| --- | --- | --- | --- |
| Drug Enforcement Agency (DEA) registration number | `DrugEnforcementAgencyNumber` | `dea number`, `dea registration` | United States |
| Health Insurance Card Number (EHIC) | `HealthInsuranceCardNumber` | `assicurazione sanitaria numero`, `carta assicurazione numero`, `carte d’assurance maladie`, `carte européenne d'assurance maladie`, `ceam`, `ehic`, `ehic#`, `finlandehicnumber#`, `gesundheitskarte`, `hälsokort`, `health card`, `health card number`, `health insurance card`, `health insurance number`, `insurance card number`, `krankenversicherungskarte`, `krankenversicherungsnummer`, `medical account number`, `numero conto medico`, `numéro d’assurance maladie`, `numéro de carte d’assurance`, `numéro de compte medical`, `número de cuenta médica`, `número de seguro de salud`, `número de tarjeta de seguro`, `sairaanhoitokortin`, `sairausvakuutuskortti`, `sairausvakuutusnumero`, `sjukförsäkring nummer`, `sjukförsäkringskort`, `suomi ehic-numero`, `tarjeta de salud`, `terveyskortti`, `tessera sanitaria assicurazione numero`, `versicherungsnummer` | European Union |
| Health Insurance Claim Number (HICN) | `HealthInsuranceClaimNumber` | `health insurance claim number`, `hic no`, `hic no.`, `hic number`, `hic#`, `hicn`, `hicn#`, `hicno#` | United States |
| Health insurance or medical identification number | `HealthInsuranceNumber` | `carte d'assuré social`, `carte vitale`, `insurance card` | France |
| Healthcare Common Procedure Coding System (HCPCS) code | `HealthcareProcedureCode` | `current procedural terminology`, `hcpcs`, `healthcare common procedure coding system` | United States |
| Medicare Beneficiary Number (MBN) | `MedicareBeneficiaryNumber` | `mbi`, `medicare beneficiary` | United States |
| National Drug Code (NDC) | `NationalDrugCode` | `national drug code`, `ndc` | United States |
| National Provider Identifier (NPI) | `NationalProviderId` | `hipaa`, `n.p.i.`, `national provider`, `npi` | United States |
| National Health Service (NHS) number | `NhsNumber` | `national health service`, `NHS` | Great Britain |
| Personal Health Number | `PersonalHealthNumber` | `canada healthcare number`, `msp number`, `care number`, `phn`, `soins de santé` | Canada |
## Data identifier ARNs for protected health information data types (PHI)
The following lists the data identifier Amazon Resource Names (ARNs) that can be used in protected health information (PHI) data protection policies.
| PHI data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/DrugEnforcementAgencyNumber-US |
| arn:aws:dataprotection::aws:data-identifier/HealthcareProcedureCode-US |
| arn:aws:dataprotection::aws:data-identifier/HealthInsuranceCardNumber-EU |
| arn:aws:dataprotection::aws:data-identifier/HealthInsuranceClaimNumber-US |
| arn:aws:dataprotection::aws:data-identifier/HealthInsuranceNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/MedicareBeneficiaryNumber-US |
| arn:aws:dataprotection::aws:data-identifier/NationalDrugCode-US |
| arn:aws:dataprotection::aws:data-identifier/NationalInsuranceNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/NationalProviderId-US |
| arn:aws:dataprotection::aws:data-identifier/NhsNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/PersonalHealthNumber-CA |
# Personally identifiable information (PII)
CloudWatch Logs data protection can find the following types of personally identifiable information (PII).
If you set a data protection policy, CloudWatch Logs scans for the data identifiers that you specify no matter what geolocation the log group is located in. The information in the **Countries and regions** column in this table designates whether two-letter country codes must be appended to the data identifier to detect the appropriate keywords for those countries and regions.
| Type of data | Data identifier ID | Keyword required | Countries and regions | Notes |
| --- | --- | --- | --- | --- |
| Birth date | `DateOfBirth` | `dob`, `date of birth`, `birthdate`, `birth date`, `birthday`, `b-day`, `bday` | Any | Support includes most date formats, such as all digits and combinations of digits and names of months. Date components can be separated by spaces, slashes (/), or hyphens (‐). |
| Código de Endereçamento Postal (CEP) | `CepCode` | `cep`, `código de endereçamento postal`, `codigo de endereçamento postal` | Brazil | |
| Cadastro Nacional da Pessoa Jurídica (CNPJ) | `Cnpj` | `cadastro nacional da pessoa jurídica`, `cadastro nacional da pessoa juridica`, `cnpj` | Brazil | |
| Cadastro de Pessoas Físicas (CPF) | `CpfCode` | `Cadastro de pessoas fisicas`, `cadastro de pessoas físicas`, `cadastro de pessoa física`, `cadastro de pessoa fisica`, `cpf` | Brazil | |
| Driver’s license identification number | `DriversLicense` | Yes. Different keywords apply to different countries. For details, see the **Drivers license identification numbers** table later in this section. | Many countries. For details, see the **Drivers license identification numbers** table. | |
| Electoral roll number | `ElectoralRollNumber` | `electoral #`, `electoral number`, `electoral roll #`, `electoral roll no.`, `electoral roll number`, `electoralrollno` | United Kingdom | |
| Individual taxpayer identification | `IndividualTaxIdenticationNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Brazil, France, Germany, Spain, United Kingdom | |
| National Institute for Statistics and Economic Studies (INSEE) | `InseeCode` | Yes. Different keywords apply to different countries. For details, see the **Keywords for national identification numbers** table later in this section. | France | |
| National Identification Number | `NationalIdentificationNumber` | Yes. For details, see the **Keywords for national identification numbers** table later in this section. | Germany, Italy, Spain | This includes Documento Nacional de Identidad (DNI) identifiers (Spain), Codice fiscale codes (Italy), and National Identity Card numbers (German). |
| National Insurance Number (NINO) | `NationalInsuranceNumber` | insurance no., insurance number, insurance\$1, national insurance number, nationalinsurance\$1, nationalinsurancenumber, nin, nino | United Kingdom | – |
| Número de identidad de extranjero (NIE) | `NieNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Spain | |
| Número de Identificación Fiscal (NIF) | `NifNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Spain | |
| Passport number | `PassportNumber` | Yes. Different keywords apply to different countries. For details, see the **Keywords for passport numbers** table later in this section. | Canada, France, Germany, Italy, Spain, United Kingdom, United States | |
| Permanent residence number | `PermanentResidenceNumber` | carte résident permanent, numéro carte résident permanent, numéro résident permanent, permanent resident card, permanent resident card number, permanent resident no, permanent resident no., permanent resident number, pr no, pr no., pr non, pr number, résident permanent no., résident permanent non | Canada | |
| Phone number | `PhoneNumber` | Brazil: keywords also include: `cel`, `celular`, `fone`, `móvel`, `número residencial`, `numero residencial`, `telefone` Others: `cell`, `contact`, `fax`, `fax number`, `mobile`, `phone`, `phone number`, `tel`, `telephone`, `telephone number` | Brazil, Canada, France, Germany, Italy, Spain, United Kingdom, United States | This includes toll-free numbers in the United States and fax numbers. If a keyword is in proximity of the data, the number doesn’t have to include a country code. If a keyword isn’t in proximity of the data, the number has to include a country code. |
| Postal Code | `PostalCode` | None | Canada | |
| Registro Geral (RG) | `RgNumber` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section. | Brazil | |
| Social Insurance Number (SIN) | `SocialInsuranceNumber` | canadian id, numéro d'assurance sociale, social insurance number, sin | Canada | |
| Social Security Number (SSN) | `Ssn` | Spain – `número de la seguridad social`, `social security no.`, `social security no`. `número de la seguridad social`, `social security number`, `socialsecurityno#`, `ssn`, `ssn#` United States – `social security`, `ss#`, `ssn` | Spain, United States | |
| Taxpayer identification or reference number | `TaxId` | Yes. Different keywords apply to different countries. For details, see the **Individual taxpayer identification numbers** table later in this section.. | France, Germany, Spain, United Kingdom | This includes TIN (France); Steueridentifikationsnummer (Germany); CIF (Spain); and TRN, UTR (United Kingdom). |
| ZIP code | `ZipCode` | zip code, zip\$14 | United States | United States postal code. |
| Mailing address | `Address` | None | Australia, Canada, France, Germany, Italy, Spain, United Kingdom, United States | Although a keyword isn't required, detection requires the address to include the name of a city or place and a ZIP code or Postal Code. |
| Electronic mail address | `EmailAddress` | None | Any | |
| Global Positioning System (GPS) coordinates | `LatLong` | coordinate, coordinates, lat long, latitude longitude, location, position | Any | CloudWatch Logs can detect GPS coordinates if the latitude and longitude coordinates are stored as a pair and they're in Decimal Degrees (DD) format, for example, 41.948614,-87.655311. Support doesn't include coordinates in Degrees Decimal Minutes (DDM) format, for example 41°56.9168'N 87°39.3187'W, or Degrees, Minutes, Seconds (DMS) format, for example 41°56'55.0104"N 87°39'19.1196"W. |
| Full name | `Name` | None | Any | CloudWatch Logs can detect full names only. Support is limited to Latin character sets. |
| Vehicle Identification Number (VIN) | `VehicleIdentificationNumber` | Fahrgestellnummer, niv, numarul de identificare, numarul seriei de sasiu, serie sasiu, numer VIN, Número de Identificação do Veículo, Número de Identificación de Automóviles, numéro d'identification du véhicule, vehicle identification number, vin, VIN numeris | Any | CloudWatch Logs can detect VINs that consist of a 17-character sequence and adhere to the ISO 3779 and 3780 standards. These standards were designed for worldwide use. |
## Keywords for driver’s license identification numbers
To detect various types of driver’s license identification numbers, CloudWatch Logs requires a keyword to be in proximity of the numbers. The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Australia | dl\$1 dl:, dl :, dlno\$1 driver licence, driver license, driver permit, drivers lic., drivers licence, driver's licence, drivers license, driver's license, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit |
| Austria | führerschein, fuhrerschein, führerschein republik österreich, fuhrerschein republik osterreich |
| Belgium | fuehrerschein, fuehrerschein- nr, fuehrerscheinnummer, fuhrerschein, führerschein, fuhrerschein- nr, führerschein- nr, fuhrerscheinnummer, führerscheinnummer, numéro permis conduire, permis de conduire, rijbewijs, rijbewijsnummer |
| Bulgaria | превозно средство, свидетелство за управление на моторно, свидетелство за управление на мпс, сумпс, шофьорска книжка |
| Canada | dl\$1, dl:, dlno\$1, driver licence, driver licences, driver license, driver licenses, driver permit, drivers lic., drivers licence, driver's licence, drivers licences, driver's licences, drivers license, driver's license, drivers licenses, driver's licenses, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit, permis de conduire |
| Croatia | vozačka dozvola |
| Cyprus | άδεια οδήγησης |
| Czech Republic | číslo licence, císlo licence řidiče, číslo řidičského průkazu, ovladače lic., povolení k jízdě, povolení řidiče, řidiči povolení, řidičský prúkaz, řidičský průkaz |
| Denmark | kørekort, kørekortnummer |
| Estonia | juhi litsentsi number, juhiloa number, juhiluba, juhiluba number |
| Finland | ajokortin numero, ajokortti, förare lic., körkort, körkort nummer, kuljettaja lic., permis de conduire |
| France | permis de conduire |
| Germany | fuehrerschein, fuehrerschein- nr, fuehrerscheinnummer, fuhrerschein, führerschein, fuhrerschein- nr, führerschein- nr, fuhrerscheinnummer, führerscheinnummer |
| Greece | δεια οδήγησης, adeia odigisis |
| Hungary | illesztőprogramok lic, jogosítvány, jogsi, licencszám, vezető engedély, vezetői engedély |
| Ireland | ceadúnas tiomána |
| Italy | patente di guida, patente di guida numero, patente guida, patente guida numero |
| Latvia | autovadītāja apliecība, licences numurs, vadītāja apliecība, vadītāja apliecības numurs, vadītāja atļauja, vadītāja licences numurs, vadītāji lic. |
| Lithuania | vairuotojo pažymėjimas |
| Luxembourg | fahrerlaubnis, führerschäin |
| Malta | liċenzja tas-sewqan |
| Netherlands | permis de conduire, rijbewijs, rijbewijsnummer |
| Poland | numer licencyjny, prawo jazdy, zezwolenie na prowadzenie |
| Portugal | carta de condução, carteira de habilitação, carteira de motorist, carteira habilitação, carteira motorist, licença condução, licença de condução, número de licença, número licença, permissão condução, permissão de condução |
| Romania | numărul permisului de conducere, permis de conducere |
| Slovakia | číslo licencie, číslo vodičského preukazu, ovládače lic., povolenia vodičov, povolenie jazdu, povolenie na jazdu, povolenie vodiča, vodičský preukaz |
| Slovenia | vozniško dovoljenje |
| Spain | carnet conducer, el carnet de conducer, licencia conducer, licencia de manejo, número carnet conducer, número de carnet de conducer, número de permiso conducer, número de permiso de conducer, número licencia conducer, número permiso conducer, permiso conducción, permiso conducer, permiso de conducción |
| Sweden | ajokortin numero, dlno\$1 ajokortti, drivere lic., förare lic., körkort, körkort nummer, körkortsnummer, kuljettajat lic. |
| United Kingdom | dl\$1, dl:, dlno\$1, driver licence, driver licences, driver license, driver licenses, driver permit, drivers lic., drivers licence, driver's licence, drivers licences, driver's licences, drivers license, driver's license, drivers licenses, driver's licenses, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit |
| United States | dl\$1, dl:, dlno\$1, driver licence, driver licences, driver license, driver licenses, driver permit, drivers lic., drivers licence, driver's licence, drivers licences, driver's licences, drivers license, driver's license, drivers licenses, driver's licenses, drivers permit, driver's permit, drivers permit number, driving licence, driving license, driving permit |
## Keywords for national identification numbers
To detect various types of national identification numbers, CloudWatch Logs requires a keyword to be in close proximity to the numbers. This includes Documento Nacional de Identidad (DNI) identifiers (Spain), French National Institute for Statistics and Economic Studies (INSEE) codes, German National Identity Card numbers, and Registro Geral (RG) numbers (Brazil).
The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Brazil | registro geral, rg |
| France | assurance sociale, carte nationale d’identité, cni, code sécurité sociale, French social security number, fssn\$1, insee, insurance number, national id number, nationalid\$1, numéro d'assurance, sécurité sociale, sécurité sociale non., sécurité sociale numéro, social, social security, social security number, socialsecuritynumber, ss\$1, ssn, ssn\$1 |
| Germany | ausweisnummer, id number, identification number, identity number, insurance number, personal id, personalausweis |
| Italy | codice fiscal, dati anagrafici, ehic, health card, health insurance card, p. iva, partita i.v.a., personal data, tax code, tessera sanitaria |
| Spain | dni, dni\$1, dninúmero\$1, documento nacional de identidad, identidad único, identidadúnico\$1, insurance number, national identification number, national identity, nationalid\$1, nationalidno\$1, número nacional identidad, personal identification number, personal identity no, unique identity number, uniqueid\$1 |
## Keywords for passport numbers
To detect various types of passport numbers, CloudWatch Logs requires a keyword to be in proximity of the numbers. The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Canada | passeport, passeport\$1, passport, passport\$1, passportno, passportno\$1 |
| France | numéro de passeport, passeport, passeport\$1, passeport \$1, passeportn °, passeport n °, passeportNon, passeport non |
| Germany | ausstellungsdatum, ausstellungsort, geburtsdatum, passport, passports, reisepass, reisepass–nr, reisepassnummer |
| Italy | italian passport number, numéro passeport, numéro passeport italien, passaporto, passaporto italiana, passaporto numero, passport number, repubblica italiana passaporto |
| Spain | españa pasaporte, libreta pasaporte, número pasaporte, pasaporte, passport, passport book, passport no, passport number, spain passport |
| United Kingdom | passeport \$1, passeport n °, passeportNon, passeport non, passeportn °, passport \$1, passport no, passport number, passport\$1, passportid |
| United States | passport, travel document |
## Keywords for taxpayer identification and reference numbers
To detect various types of taxpayer identification and reference numbers, CloudWatch Logs requires a keyword to be in proximity of the numbers. The following table lists the keywords that CloudWatch Logs recognizes for specific countries and regions.
| Country or region | Keywords |
| --- | --- |
| Brazil | cadastro de pessoa física, cadastro de pessoa fisica, cadastro de pessoas físicas, cadastro de pessoas fisicas, cadastro nacional da pessoa jurídica, cadastro nacional da pessoa juridica, cnpj, cpf |
| France | numéro d'identification fiscale, tax id, tax identification number, tax number, tin, tin\$1 |
| Germany | identifikationsnummer, steuer id, steueridentifikationsnummer, steuernummer, tax id, tax identification number, tax number |
| Spain | cif, cif número, cifnúmero\$1, nie, nif, número de contribuyente, número de identidad de extranjero, número de identificación fiscal, número de impuesto corporativo, personal tax number, tax id, tax identification number, tax number, tin, tin\$1 |
| United Kingdom | paye, tax id, tax id no., tax id number, tax identification, tax identification\$1, tax no., tax number, tax reference, tax\$1, taxid\$1, temporary reference number, tin, trn, unique tax reference, unique taxpayer reference, utr |
| United States | individual taxpayer identification number, itin, i.t.i.n. |
## Data identifier ARNs for personally identifiable information (PII)
The following table lists the Amazon Resource Names (ARNs) for the personally identifiable information (PII) data identifiers that you can add to your data protection policies.
| PII data identifier ARNs |
| --- |
| arn:aws:dataprotection::aws:data-identifier/Address |
| arn:aws:dataprotection::aws:data-identifier/CepCode-BR |
| arn:aws:dataprotection::aws:data-identifier/Cnpj-BR |
| arn:aws:dataprotection::aws:data-identifier/CpfCode-BR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-AT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-AU |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-BE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-BG |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-CA |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-CY |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-CZ |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-DE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-DK |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-EE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-ES |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-FI |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-FR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-GB |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-GR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-HR |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-HU |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-IE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-IT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-LT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-LU |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-LV |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-MT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-NL |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-PL |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-PT |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-RO |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-SE |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-SI |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-SK |
| arn:aws:dataprotection::aws:data-identifier/DriversLicense-US |
| arn:aws:dataprotection::aws:data-identifier/ElectoralRollNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/EmailAddress |
| arn:aws:dataprotection::aws:data-identifier/IndividualTaxIdentificationNumber-US |
| arn:aws:dataprotection::aws:data-identifier/InseeCode-FR |
| arn:aws:dataprotection::aws:data-identifier/LatLong |
| arn:aws:dataprotection::aws:data-identifier/Name |
| arn:aws:dataprotection::aws:data-identifier/NationalIdentificationNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/NationalIdentificationNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/NationalIdentificationNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/NieNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/NifNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-CA |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/PassportNumber-US |
| arn:aws:dataprotection::aws:data-identifier/PermanentResidenceNumber-CA |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-BR |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-DE |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-ES |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-FR |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-GB |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-IT |
| arn:aws:dataprotection::aws:data-identifier/PhoneNumber-US |
| arn:aws:dataprotection::aws:data-identifier/PostalCode-CA |
| arn:aws:dataprotection::aws:data-identifier/RgNumber-BR |
| arn:aws:dataprotection::aws:data-identifier/SocialInsuranceNumber-CA |
| arn:aws:dataprotection::aws:data-identifier/Ssn-ES |
| arn:aws:dataprotection::aws:data-identifier/Ssn-US |
| arn:aws:dataprotection::aws:data-identifier/TaxId-DE |
| arn:aws:dataprotection::aws:data-identifier/TaxId-ES |
| arn:aws:dataprotection::aws:data-identifier/TaxId-FR |
| arn:aws:dataprotection::aws:data-identifier/TaxId-GB |
| arn:aws:dataprotection::aws:data-identifier/VehicleIdentificationNumber |
| arn:aws:dataprotection::aws:data-identifier/ZipCode-US |
# Custom data identifiers
**Topics**
+ [What are custom data identifiers?](#what-are-custom-data-identifiers)
+ [Custom data identifier constraints](#custom-data-identifiers-constraints)
+ [Using custom data identifiers in the console](#using-custom-data-identifiers-console)
+ [Using custom data identifiers in your data protection policy](#using-custom-data-identifiers)
## What are custom data identifiers?
Custom data identifiers (CDIs) let you define your own custom regular expressions that can be used in your data protection policy. Using custom data identifiers, you can target business-specific personally identifiable information (PII) use cases that [managed data identifiers](CWL-managed-data-identifiers.md) can't provide. For example, you can use a custom data identifier to look for company-specific employee IDs. Custom data identifiers can be used in conjunction with managed data identifiers.
## Custom data identifier constraints
CloudWatch Logs custom data identifiers have the following limitations:
+ A maximum of 10 custom data identifiers are supported for each data protection policy.
+ Custom data identifier names have a maximum length of 128 characters. The following characters are supported:
+ Alphanumeric: (a-zA-Z0-9)
+ Symbols: ( '\$1' \$1 '-' )
+ RegEx has a maximum length of 200 characters. The following characters are supported:
+ Alphanumeric: (a-zA-Z0-9)
+ Symbols: ( '\$1' \$1 '\$1' \$1 '=' \$1 '@' \$1'/' \$1 ';' \$1 ',' \$1 '-' \$1 ' ' )
+ RegEx reserved characters: ( '^' \$1 '\$1' \$1 '?' \$1 '[' \$1 ']' \$1 '\$1' \$1 '\$1' \$1 '\$1' \$1 '\$1\$1' \$1 '\$1' \$1 '\$1' \$1 '.' )
+ Custom data identifiers cannot share the same name as a managed data identifier.
+ Custom data identifiers can be specified within an account-level data protection policy or in log group-level data protection policies. Similar to managed data identifiers, custom data identifiers defined within an account-level policy work in combination with custom data identifiers defined in a log group-level policy.
## Using custom data identifiers in the console
When you use the CloudWatch console to create or edit a data protection policy, to specify a custom data identifier you just enter a name and regular expression for the data identifier. For example, you might enter **Employee\$1ID** for the name and **EmployeeID-\$1d\$19\$1** as the regular expression. This regular expression will detect and mask log events with nine numbers after `EmployeeID-`. For example, `EmployeeID-123456789`
## Using custom data identifiers in your data protection policy
If you are using the AWS CLI or AWS API to specify a custom data identifier, you need to include the data identifier name and regular expression in the JSON policy used to define the data protection policy. The following data protection policy detects and masks log events that carry company-specific employee IDs.
1. Create a `Configuration` block within your data protection policy.
1. Enter a `Name` for your custom data identifier. For example, **EmployeeId**.
1. Enter a `Regex` for your custom data identifier. For example, **EmployeeID-\$1d\$19\$1**. This regular expression will match log events containing `EmployeeID-` that have nine digits after `EmployeeID-`. For example, `EmployeeID-123456789`
1. Refer to the following custom data identifier in a policy statement.
```
{
"Name": "example_data_protection_policy",
"Description": "Example data protection policy with custom data identifiers",
"Version": "2021-06-01",
"Configuration": {
"CustomDataIdentifier": [
{"Name": "EmployeeId", "Regex": "EmployeeId-\\d{9}"}
]
},
"Statement": [
{
"Sid": "audit-policy",
"DataIdentifier": [
"EmployeeId"
],
"Operation": {
"Audit": {
"FindingsDestination": {
"S3": {
"Bucket": "EXISTING_BUCKET"
}
}
}
}
},
{
"Sid": "redact-policy",
"DataIdentifier": [
"EmployeeId"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
}
}
}
}
]
}
```
1. (Optional) Continue to add additional **custom data identifiers** to the `Configuration` block as needed. Data protection policies currently support a maximum of 10 custom data identifiers.