feat(logs): support data protection custom data identifiers

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json

@@ -20,6 +20,14 @@
      "name": "policy-name",
      "description": "policy description",
      "version": "2021-06-01",
+     "configuration": {
+      "customDataIdentifier": [
+       {
+        "name": "EmployeeId",
+        "regex": "EmployeeId-\\d{9}"
+       }
+      ]
+     },
      "statement": [
       {
        "sid": "audit-statement-cdk",
@@ -47,7 +55,8 @@
            ":dataprotection::aws:data-identifier/EmailAddress"
           ]
          ]
-        }
+        },
+        "EmployeeId"
        ],
        "operation": {
         "audit": {
@@ -92,7 +101,8 @@
            ":dataprotection::aws:data-identifier/EmailAddress"
           ]
          ]
-        }
+        },
+        "EmployeeId"
        ],
        "operation": {
         "deidentify": {

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.ts

@@ -14,7 +14,7 @@ class LogGroupIntegStack extends Stack {
     const dataProtectionPolicy = new DataProtectionPolicy({
       name: 'policy-name',
       description: 'policy description',
-      identifiers: [DataIdentifier.DRIVERSLICENSE_US, new DataIdentifier('EmailAddress')],
+      identifiers: [DataIdentifier.DRIVERSLICENSE_US, new DataIdentifier('EmailAddress'), new DataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')],
       logGroupAuditDestination: audit,
       s3BucketAuditDestination: bucket,
     });

packages/aws-cdk-lib/aws-logs/README.md

@@ -342,9 +342,11 @@ Creates a data protection policy and assigns it to the log group. A data protect
 
 For more information, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html).
 
-For a list of types of identifiers that can be audited and masked, see [Types of data that you can protect](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/protect-sensitive-log-data-types.html)
+For a list of types of managed identifiers that can be audited and masked, see [Types of data that you can protect](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/protect-sensitive-log-data-types.html).
 
-If a new identifier is supported but not yet in the `DataIdentifiers` enum, the full ARN of the identifier can be supplied in `identifierArnStrings` instead. 
+If a new identifier is supported but not yet in the `DataIdentifiers` enum, the name of the identifier can be supplied as `name` in the constructor instead. 
+
+To add a custom data identifier, supply a custom `name` and `regex` to the `DataIdentifiers` constructor. For more information on custom data identifiers, see [Custom data identifiers](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html).
 
 Each policy may consist of a log group, S3 bucket, and/or Firehose delivery stream audit destination.  
 
@@ -368,7 +370,10 @@ const deliveryStream = new kinesisfirehose.DeliveryStream(this, 'Delivery Stream
 const dataProtectionPolicy = new logs.DataProtectionPolicy({
   name: 'data protection policy',
   description: 'policy description',
-  identifiers: [logs.DataIdentifier.DRIVERSLICENSE_US, new logs.DataIdentifier('EmailAddress')],
+  identifiers: [
+    logs.DataIdentifier.DRIVERSLICENSE_US, // managed data identifier
+    new logs.DataIdentifier('EmailAddress'), // forward compatibility for new managed data identifiers
+    new logs.DataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')], // custom data identifier
   logGroupAuditDestination: logGroupDestination,
   s3BucketAuditDestination: bucket,
   deliveryStreamNameAuditDestination: deliveryStream.deliveryStreamName,

packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts

@@ -43,21 +43,30 @@ export class DataProtectionPolicy {
       };
     }
 
-    const identifierArns: string[] = [];
+    const identifiers: string[] = [];
+    const customDataIdentifiers: CustomDataIdentifier[] = [];
     for (let identifier of this.dataProtectionPolicyProps.identifiers) {
-      identifierArns.push(Stack.of(_scope).formatArn({
-        resource: 'data-identifier',
-        region: '',
-        account: 'aws',
-        service: 'dataprotection',
-        resourceName: identifier.toString(),
-      }));
+      if (identifier.regex) {
+        identifiers.push(identifier.name);
+        customDataIdentifiers.push({
+          name: identifier.name,
+          regex: identifier.regex,
+        });
+      } else {
+        identifiers.push(Stack.of(_scope).formatArn({
+          resource: 'data-identifier',
+          region: '',
+          account: 'aws',
+          service: 'dataprotection',
+          resourceName: identifier.name,
+        }));
+      }
     };
 
     const statement = [
       {
         sid: 'audit-statement-cdk',
-        dataIdentifier: identifierArns,
+        dataIdentifier: identifiers,
         operation: {
           audit: {
             findingsDestination: findingsDestination,
@@ -66,18 +75,26 @@ export class DataProtectionPolicy {
       },
       {
         sid: 'redact-statement-cdk',
-        dataIdentifier: identifierArns,
+        dataIdentifier: identifiers,
         operation: {
           deidentify: {
             maskConfig: {},
           },
         },
       },
     ];
-    return { name, description, version, statement };
+
+    const configuration = {
+      customDataIdentifier: customDataIdentifiers,
+    };
+    return { name, description, version, configuration, statement };
   }
 }
 
+interface CustomDataIdentifier {
+  name: string;
+  regex: string;
+}
 interface FindingsDestination {
   cloudWatchLogs?: CloudWatchLogsDestination;
   firehose?: FirehoseDestination;
@@ -119,6 +136,11 @@ export interface DataProtectionPolicyConfig {
    */
   readonly version: string;
 
+  /**
+   * Configuration of the data protection policy. Currently supports custom data identifiers
+   */
+  readonly configuration: any;
+
   /**
    * Statements within the data protection policy. Must contain one Audit and one Redact statement
    */
@@ -144,7 +166,9 @@ export interface DataProtectionPolicyProps {
   readonly description?: string;
 
   /**
-   * List of data protection identifiers. Must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/protect-sensitive-log-data-types.html
+   * List of data protection identifiers, containing managed or custom data identfiers.
+   * Managed data identiers must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-managed-data-identifiers.html
+   * Custom data identfiers must have a valid regex defined: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html
    *
    */
   readonly identifiers: DataIdentifier[];
@@ -173,6 +197,7 @@ export interface DataProtectionPolicyProps {
 
 /**
  * A data protection identifier. If an identifier is supported but not in this class, it can be passed in the constructor instead.
+ * To create a custom data identifier, pass in a custom name and regex.
  */
 export class DataIdentifier {
   public static readonly ADDRESS = new DataIdentifier('Address');
@@ -274,9 +299,9 @@ export class DataIdentifier {
   public static readonly VEHICLEIDENTIFICATIONNUMBER = new DataIdentifier('VehicleIdentificationNumber');
   public static readonly ZIPCODE_US = new DataIdentifier('ZipCode-US');
 
-  constructor(private readonly identifier: string) { }
+  constructor(public readonly name: string, public readonly regex?: string) { }
 
   public toString(): string {
-    return this.identifier;
+    return this.name;
   }
 }