(logs) DataProtectionPolicy not displaying properly in the console #26728
Description
Discussed in #26669
Originally posted by ericxinzhang August 8, 2023
I'd like to apply a data protection policy to a log group and exactly followed the document but it's not working.
I believe the reason is somehow in the generated CFN template, all the field names (e.g. statement) of the DataProtectionPolicy property for the log group are in lower case while it should be in uppercase as per the doc.
I tried cdk deploy and the template can be deployed successfully, but the policy is not taking effect.
Could someone please enlighten me what I did wrong here?
Please refer to the following console log for details.
➜ data-protection git:(main) ✗ cdk init --language typescript app
Applying project template app for typescript
# Welcome to your CDK TypeScript project
This is a blank project for CDK development with TypeScript.
The `cdk.json` file tells the CDK Toolkit how to execute your app.
## Useful commands
* `npm run build` compile typescript to js
* `npm run watch` watch for changes and compile
* `npm run test` perform the jest unit tests
* `cdk deploy` deploy this stack to your default AWS account/region
* `cdk diff` compare deployed stack with current state
* `cdk synth` emits the synthesized CloudFormation template
Executing npm install...
✅ All done!
➜ data-protection git:(main) ✗ cdk --version
2.90.0 (build 8c535e4)
➜ data-protection git:(main) ✗ cat bin/data-protection.ts
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { DataProtectionStack } from '../lib/data-protection-stack';
const app = new cdk.App();
new DataProtectionStack(app, 'DataProtectionStack', {
});➜ data-protection git:(main) ✗ cat lib/data-protection-stack.ts
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
export class DataProtectionStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const dataProtectionPolicy = new cdk.aws_logs.DataProtectionPolicy({
name: "EmailAndLatLngProrectionPolicy",
identifiers: [
cdk.aws_logs.DataIdentifier.EMAILADDRESS,
cdk.aws_logs.DataIdentifier.LATLONG,
],
});
new cdk.aws_logs.LogGroup(this, "TestLogGroup", {
logGroupName: "TestLogGroup",
dataProtectionPolicy,
});
}
}
➜ data-protection git:(main) ✗ cdk synth Resources:
TestLogGroup4EEF7AD4:
Type: AWS::Logs::LogGroup
Properties:
DataProtectionPolicy:
name: EmailAndLatLngProrectionPolicy
description: cdk generated data protection policy
version: "2021-06-01"
statement:
- sid: audit-statement-cdk
dataIdentifier:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :dataprotection::aws:data-identifier/EmailAddress
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :dataprotection::aws:data-identifier/LatLong
operation:
audit:
findingsDestination: {}
- sid: redact-statement-cdk
dataIdentifier:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :dataprotection::aws:data-identifier/EmailAddress
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :dataprotection::aws:data-identifier/LatLong
operation:
deidentify:
maskConfig: {}
RetentionInDays: 731
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: DataProtectionStack/TestLogGroup/Resource
... (omitted)
```</div>