I'm seeking advice on implementing audit logs for our .NET API, which runs on ECS. We want to log both request and response payloads for each HTTP call. However, since we're dealing with sensitive data, I need to find the best approach. Would using logging middleware to capture requests and responses and then sending them to CloudWatch be a good choice, or is there a better method? Any insights on best practices for handling sensitive information would be greatly appreciated!
4 Answers
If your application is running in ECS, one simple approach is to configure your logs to send everything to STDOUT. This way, the logs will automatically go to CloudWatch like other container events without extra setup.
Logging full payloads poses several risks, including security, privacy, and storage costs. It can also create legal liabilities for data retention in case of discovery. If you must log these, I highly recommend redacting any sensitive information to mitigate risks.
Think about the volume of data you’ll be generating. Are there any budget constraints? Also, how complex is your current architecture? And how do you plan to use this logged data? These questions can really affect your logging strategy.
It's generally a bad idea to log sensitive payloads directly to CloudWatch due to security risks and potential costs. Instead, consider piping the logs to Kinesis Firehose and then sending them to an encrypted S3 bucket. This way, you keep the data safe and avoid the high costs of CloudWatch. Plus, using middleware can seriously slow down your API's response time.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically