Sign in Subscribe
Concepts

Masking Email Addresses in AWS CloudTrail Logs

Andrios Robert

1 min read

The log file was bleeding email addresses. Not masked. Not safe. One exposed string could trigger a breach, and CloudTrail logs are no exception.

AWS CloudTrail records every call and event in your AWS environment. This includes parameters, responses, and—too often—raw identifiers like user email addresses. If your logs land in storage without masking sensitive data, you have a compliance problem. Worse, you have a security risk that is searchable, replicable, and permanent.

Masking email addresses in CloudTrail logs should be part of every query runbook you maintain. Start by identifying the fields that contain emails. In CloudTrail, these can appear in userName, principalId, or custom event payloads.

One way to handle masking is to preprocess logs before storage. Use a Lambda function triggered by CloudTrail log delivery into S3. The function scans each record, applies a regex to detect email patterns, and replaces matches with a masked value such as ***@example.com. Keep the format consistent so you can still correlate events without revealing personal data.

For interactive analysis, integrate masking directly into your query runbooks. If you use Athena to query CloudTrail logs, wrap email fields with masking logic in your SQL. Example:

SELECT regexp_replace(userName, '[^@\\s]+@[^@\\s]+', '***@example.com') AS maskedUserName
FROM cloudtrail_logs
WHERE eventName = 'ConsoleLogin';

Runbooks should codify these queries, ensuring every engineer uses the same masking rules when investigating events. Include test cases in your runbook to verify that emails are fully masked before results are shared.

Automation closes the gap. By baking masking into CloudTrail ingestion pipelines, you make it impossible to skip. Combined with runbook-enforced queries, you create a hardened workflow that meets security requirements and prevents accidental leaks.

Email leakage in logs is preventable. Mask them at ingestion. Mask them at query. Bake it into the runbook.

Want to see this running end-to-end without writing a line of glue code? Deploy a masking workflow with hoop.dev and watch it live in minutes.