keep plaintext data keys in KMS responses out of logs

[mattsb42-aws]

Problem

At DEBUG level output, botocore currently logs the full response of each API call. In the case of our use, this includes the plaintext of data keys as they are being generated or decrypted by KMS.

By enabling the most verbose level of debug output for this CLI (-vvvv), you do end up with DEBUG level output for botocore.

Options

1. Work with botocore team to redact KMS responses in botocore.
2. We are already applying a custom filter to the root handler. We can extend that filter to catch and redact all KMS responses.

[mattsb42-aws]

We're taking both approaches. Talks are started with the botocore team to redact the sensitive fields from log records at the source, but in the meantime the log formater added in #55 will redact them before the log records are displayed.