Pre-defined data masking functions - Amazon Aurora
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Pre-defined data masking functions

pg_columnmask extension provides built-in utility functions written in C language (for faster execution) which can be used as masking expression for pg_columnmask policies.

mask_text

A function to mask text data with configurable visibility options.

Arguments

Parameter Datatype Description
input TEXT

The original text string to be masked
mask_char CHAR(1)

Character used for masking (default: 'X')
visible_prefix INT

Number of characters at the beginning of input text that will remain unmasked (default: 0)
visible_suffix INT

Number of characters at the end of input text that will remain unmasked (default: 0)
use_hash_mask BOOLEAN

If TRUE, uses a hash-based masking instead of mask_char (default: FALSE)
Example of using different masking options

Mask the entire input string with the default 'X' character

postgres=> SELECT pgcolumnmask.mask_text('Hello World');
  mask_text  
-------------
 XXXXXXXXXXX

Use the mask_char argument to mask text input using a different character

postgres=> SELECT pgcolumnmask.mask_text('Hello World', '*');
  mask_text  
-------------
 ***********

Use visible_prefix and visible_suffix parameters to control how many characters remain unmasked at the start and end of the text

postgres=> SELECT pgcolumnmask.mask_text('Hello World', '*', 5, 1);
  mask_text  
-------------
 Hello*****d

When use_hash_mask is true the input string is masked using random characters mask_char argument is ignored but visible_prefix and visible_suffix are still honored

postgres=> SELECT pgcolumnmask.mask_text('Hello World', '*', 2, 2, true);
  mask_text  
-------------
 Hex36dOHild

mask_timestamp

Parameter Datatype Description
ts_to_mask TIMESTAMP

The original timestamp to be masked
mask_part TEXT

Specifies which part of the timestamp to mask (default: 'all') Valid values: 'year', 'month', 'day', 'hour', 'minute', 'second', 'all'
mask_value TIMESTAMP

The timestamp value to use for masking (default: '1900-01-01 00:00:00')
Example of using mask_timestamps

These examples demonstrate complete timestamp masking to a default value, partial masking of specific timestamp components (year only), and masking with a custom replacement value.

Completely mask input value to the default timestamp

postgres=> SELECT pgcolumnmask.mask_timestamp('2023-06-15 14:30:00');
   mask_timestamp    
---------------------
 1900-01-01 00:00:00

To mask only one part of the timestamp from example only the year

postgres=> SELECT pgcolumnmask.mask_timestamp('2023-06-15 14:30:00', 'year');
   mask_timestamp    
---------------------
 1900-06-15 14:30:00

To change the masked value for timestamp use the mask_value argument

postgres=> SELECT pgcolumnmask.mask_timestamp('2023-06-15 14:30:00', 'all', '2012-12-12 12:12:12');
   mask_timestamp    
---------------------
 2012-12-12 12:12:12

mask_timestamp

A function to mask email addresses while preserving email structure.

Parameter Datatype Description
input TEXT

The original email address to be masked
mask_char CHAR(1)

Character used for masking (default: 'X')
mask_local BOOLEAN

If TRUE, masks the local part of email (before @) (default: TRUE)
mask_domain BOOLEAN

If TRUE, masks the domain part of email (after @) (default: TRUE)
Example of using mask_email

These examples demonstrate complete email masking, custom mask characters, and selective masking of either the local part or domain part of the email address.

Complete masking

postgres=> SELECT pgcolumnmask.mask_email('user@example.com');
    mask_email    
------------------
 XXXX@XXXXXXX.com

Use mask_char to change the character used for masking

postgres=> SELECT pgcolumnmask.mask_email('user@example.com', '*');
    mask_email    
------------------
 ****@*******.com

Use mask_local and mask_domain to control masking on local and domain

postgres=> SELECT pgcolumnmask.mask_email('user@example.com', '*', true, false);
    mask_email    
------------------
 ****@example.com

postgres=> SELECT pgcolumnmask.mask_email('user@example.com', '*', false, true);
    mask_email    
------------------
 user@*******.com