:doc:`CloudWatchLogs <../../logs>` / Client / put_data_protection_policy

**************************
put_data_protection_policy
**************************



.. py:method:: CloudWatchLogs.Client.put_data_protection_policy(**kwargs)

  

  Creates a data protection policy for the specified log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data.

   

  .. warning::

     

    Sensitive data is detected and masked when it is ingested into the log group. When you set a data protection policy, log events ingested into the log group before that time are not masked.

     

   

  By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the ``logs:Unmask`` permission can use a `GetLogEvents <https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html>`__ or `FilterLogEvents <https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html>`__ operation with the ``unmask`` parameter set to ``true`` to view the unmasked log events. Users with the ``logs:Unmask`` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the ``unmask`` query command.

   

  For more information, including a list of types of data that can be audited and masked, see `Protect sensitive log data with masking <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html>`__.

   

  The ``PutDataProtectionPolicy`` operation applies to only the specified log group. You can also use `PutAccountPolicy <https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutAccountPolicy.html>`__ to create an account-level data protection policy that applies to all log groups in the account, including both existing log groups and log groups that are created level. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/PutDataProtectionPolicy>`_  


  **Request Syntax**
  ::

    response = client.put_data_protection_policy(
        logGroupIdentifier='string',
        policyDocument='string'
    )
    
  :type logGroupIdentifier: string
  :param logGroupIdentifier: **[REQUIRED]** 

    Specify either the log group name or log group ARN.

    

  
  :type policyDocument: string
  :param policyDocument: **[REQUIRED]** 

    Specify the data protection policy, in JSON.

     

    This policy must include two JSON blocks:

     

    
    * The first block must include both a ``DataIdentifer`` array and an ``Operation`` property with an ``Audit`` action. The ``DataIdentifer`` array lists the types of sensitive data that you want to mask. For more information about the available options, see `Types of data that you can mask <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html>`__. The ``Operation`` property with an ``Audit`` action is required to find the sensitive data terms. This ``Audit`` action must contain a ``FindingsDestination`` object. You can optionally use that ``FindingsDestination`` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Firehose streams, and S3 buckets, they must already exist.
     
    * The second block must include both a ``DataIdentifer`` array and an ``Operation`` property with an ``Deidentify`` action. The ``DataIdentifer`` array must exactly match the ``DataIdentifer`` array in the first block of the policy. The ``Operation`` property with the ``Deidentify`` action is what actually masks the data, and it must contain the ``"MaskConfig": {}`` object. The ``"MaskConfig": {}`` object must be empty.
    

     

    For an example data protection policy, see the **Examples** section on this page.

     

    .. warning::

       

      The contents of the two ``DataIdentifer`` arrays must match exactly.

       

     

    In addition to the two JSON blocks, the ``policyDocument`` can also include ``Name``, ``Description``, and ``Version`` fields. The ``Name`` is used as a dimension when CloudWatch Logs reports audit findings metrics to CloudWatch.

     

    The JSON specified in ``policyDocument`` can be up to 30,720 characters.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'logGroupIdentifier': 'string',
          'policyDocument': 'string',
          'lastUpdatedTime': 123
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **logGroupIdentifier** *(string) --* 

        The log group name or ARN that you specified in your request.

        
      

      - **policyDocument** *(string) --* 

        The data protection policy used for this log group.

        
      

      - **lastUpdatedTime** *(integer) --* 

        The date and time that this policy was most recently updated.

        
  
  **Exceptions**
  
  *   :py:class:`CloudWatchLogs.Client.exceptions.InvalidParameterException`

  
  *   :py:class:`CloudWatchLogs.Client.exceptions.LimitExceededException`

  
  *   :py:class:`CloudWatchLogs.Client.exceptions.OperationAbortedException`

  
  *   :py:class:`CloudWatchLogs.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`CloudWatchLogs.Client.exceptions.ServiceUnavailableException`

  