DataProtectionPolicyProps

class aws_cdk.aws_logs.DataProtectionPolicyProps(*, identifiers, delivery_stream_name_audit_destination=None, description=None, log_group_audit_destination=None, name=None, s3_bucket_audit_destination=None)

Bases: object

Properties for creating a data protection policy.

Parameters:

identifiers (Sequence[DataIdentifier]) – List of data protection identifiers. Managed data identifiers must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-managed-data-identifiers.html Custom data identifiers must have a valid regex defined: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html#custom-data-identifiers-constraints
delivery_stream_name_audit_destination (Optional[str]) – Amazon Kinesis Data Firehose delivery stream to send audit findings to. The delivery stream must already exist. Default: - no firehose delivery stream audit destination
description (Optional[str]) – Description of the data protection policy. Default: - ‘cdk generated data protection policy’
log_group_audit_destination (Optional[ILogGroup]) – CloudWatch Logs log group to send audit findings to. The log group must already exist prior to creating the data protection policy. Default: - no CloudWatch Logs audit destination
name (Optional[str]) – Name of the data protection policy. Default: - ‘data-protection-policy-cdk’
s3_bucket_audit_destination (Optional[IBucket]) – S3 bucket to send audit findings to. The bucket must already exist. Default: - no S3 bucket audit destination

ExampleMetadata:

infused

Example:

import aws_cdk.aws_kinesisfirehose_alpha as kinesisfirehose
import aws_cdk.aws_kinesisfirehose_destinations_alpha as destinations


log_group_destination = logs.LogGroup(self, "LogGroupLambdaAudit",
    log_group_name="auditDestinationForCDK"
)

bucket = s3.Bucket(self, "audit-bucket")
s3_destination = destinations.S3Bucket(bucket)

delivery_stream = kinesisfirehose.DeliveryStream(self, "Delivery Stream",
    destinations=[s3_destination]
)

data_protection_policy = logs.DataProtectionPolicy(
    name="data protection policy",
    description="policy description",
    identifiers=[logs.DataIdentifier.DRIVERSLICENSE_US,  # managed data identifier
        logs.DataIdentifier("EmailAddress"),  # forward compatibility for new managed data identifiers
        logs.CustomDataIdentifier("EmployeeId", "EmployeeId-\d{9}")
    ],  # custom data identifier
    log_group_audit_destination=log_group_destination,
    s3_bucket_audit_destination=bucket,
    delivery_stream_name_audit_destination=delivery_stream.delivery_stream_name
)

logs.LogGroup(self, "LogGroupLambda",
    log_group_name="cdkIntegLogGroup",
    data_protection_policy=data_protection_policy
)

Attributes

delivery_stream_name_audit_destination

Amazon Kinesis Data Firehose delivery stream to send audit findings to.

The delivery stream must already exist.

Default:

no firehose delivery stream audit destination

description

Description of the data protection policy.

Default:

‘cdk generated data protection policy’

identifiers

List of data protection identifiers.

Managed data identifiers must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-managed-data-identifiers.html Custom data identifiers must have a valid regex defined: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html#custom-data-identifiers-constraints

log_group_audit_destination

CloudWatch Logs log group to send audit findings to.

The log group must already exist prior to creating the data protection policy.

Default:

no CloudWatch Logs audit destination

name

Name of the data protection policy.

Default:

‘data-protection-policy-cdk’

s3_bucket_audit_destination

S3 bucket to send audit findings to.

The bucket must already exist.

Default:

no S3 bucket audit destination