Additional security considerations for the Tools for PowerShell - Amazon Tools for PowerShell (version 4)
Logging of sensitive information
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Additional security considerations for the Tools for PowerShell

This topic contains security considerations in addition to the security topics covered in earlier sections.

Logging of sensitive information

Some operations of this tool might return information that could be considered sensitive, including information from environment variables. The exposure of this information might represent a security risk in certain scenarios; for example, the information could be included in continuous integration and continuous deployment (CI/CD) logs. It is therefore important that you review when you are including such output as part of your logs, and suppress the output when not needed. For additional information about protecting sensitive data, see Data protection in this Amazon product or service.

Consider the following best practices:

  • Do not use environment variables to store sensitive values for your serverless resources. Instead have your serverless code programmatically retrieve the secret from a secrets store (for example, Amazon Secrets Manager).

  • Review the contents of your build logs to ensure they do not contain sensitive information. Consider approaches such as piping to /dev/null or capturing the output as a bash or PowerShell variable to suppress command outputs.

  • Consider the access of your logs and scope the access appropriately for your use case.