botocore icon indicating copy to clipboard operation
botocore copied to clipboard
verified publisher icon boto

Request: redact plaintext in kms calls in debug logging

Open 2rs2ts opened this issue 8 years ago • 3 comments

Since kms can be used to encrypt sensitive data, leaking that data to disk is quite possible if users are not careful when enabling debug logging. It might be prudent to treat kms as a special case and make sure that plaintext is redacted before being logged.

2rs2ts avatar Jun 01 '17 15:06 2rs2ts

KMS is specifically server side encryption so it isn't going to get encrypted before being logged. Redacted possibly, but not encrypted since that would be client side encryption.

Marking this as a feature request.

stealthycoin avatar Jun 01 '17 16:06 stealthycoin

Thanks, I misspoke when I said

that plaintext is encrypted before being logged

I totally meant redacted. Thanks a bunch for the response!

2rs2ts avatar Jun 01 '17 23:06 2rs2ts

I'm using the following filter to achieve this. It redacts more than just the sensitive KMS data, but it may be a useful starting point for others:

def redact_kms_logs(record: logging.LogRecord):
    "Redact the plaintext entries in KMS log records."
    if record.levelno > logging.DEBUG:
        return 1
    if 'body' in record.msg or 'headers' in record.msg:
        if isinstance(record.args, tuple):
            record.args = ('REDACTED',) * len(record.args)
        elif isinstance(record.args, dict):
            record.args = {key: 'REDACTED' for key in record.args}
        else:
            record.args = 'REDACTED'
    return 1


logging.getLogger('botocore.parsers').addFilter(redact_kms_logs)

felipeochoa avatar Sep 07 '17 13:09 felipeochoa