AWS powertools medium security documentation change
Summary
Updated logging documentation to add functional API approach, clarify AspectJ configuration requirements, update dependency versions to 2.7.0, and enhance security warnings about sensitive data exposure
Security assessment
Multiple changes explicitly address security by: 1) Adding warnings that event/response logging is disabled by default to prevent sensitive data exposure 2) Emphasizing automatic state cleanup in functional API to prevent persistent MDC data across Lambda invocations 3) Noting stream duplication risks in RequestStreamHandler implementations. These directly mitigate risks of accidental sensitive data leakage.
Diff
diff --git a/powertools/java/latest/core/logging.md b/powertools/java/latest/core/logging.md index ebd49c8ae..80ba4b699 100644 --- a//powertools/java/latest/core/logging.md +++ b//powertools/java/latest/core/logging.md @@ -22,0 +23 @@ Initializing search + * [ Usage patterns ](../../usage-patterns/) @@ -163 +164 @@ You can find complete examples in the [project repository](https://github.com/aw -Depending on preference, you must choose to use either _log4j2_ or _logback_ as your log provider. In both cases you need to configure _aspectj_ to weave the code and make sure the annotation is processed. +Depending on preference, you must choose to use either _log4j2_ or _logback_ as your log provider. If you use the AspectJ annotation approach, you must configure _aspectj_ to weave the code and make sure the annotation is processed. If you prefer the [functional approach](../../usage-patterns/#functional-approach), AspectJ configuration is not required. @@ -217,0 +219,6 @@ log4j2logback + 49 + 50 + 51 + 52 + 53 + 54 @@ -227 +234,6 @@ log4j2logback - <version>2.5.0</version> + <version>2.7.0</version> + </dependency> + <dependency> + <groupId>software.amazon.lambda</groupId> + <artifactId>powertools-logging</artifactId> + <version>2.7.0</version> @@ -232,0 +245 @@ log4j2logback + <!-- Note: This AspectJ configuration is not needed when using the functional approach --> @@ -322,0 +336,6 @@ log4j2logback + 49 + 50 + 51 + 52 + 53 + 54 @@ -332 +351,6 @@ log4j2logback - <version>2.5.0</version> + <version>2.7.0</version> + </dependency> + <dependency> + <groupId>software.amazon.lambda</groupId> + <artifactId>powertools-logging</artifactId> + <version>2.7.0</version> @@ -337,0 +362 @@ log4j2logback + <!-- Note: This AspectJ configuration is not needed when using the functional approach --> @@ -398,0 +424 @@ log4j2logback + 16 @@ -405 +431 @@ log4j2logback - id 'io.freefair.aspectj.post-compile-weaving' version '8.1.0' + id 'io.freefair.aspectj.post-compile-weaving' version '8.1.0' // Not needed when using the functional approach @@ -413 +439,2 @@ log4j2logback - aspect 'software.amazon.lambda:powertools-logging-log4j:2.5.0' + aspect 'software.amazon.lambda:powertools-logging:2.7.0' // Not needed when using the functional approach + implementation 'software.amazon.lambda:powertools-logging-log4j:2.7.0' @@ -437,0 +465 @@ log4j2logback + 16 @@ -444 +472 @@ log4j2logback - id 'io.freefair.aspectj.post-compile-weaving' version '8.1.0' + id 'io.freefair.aspectj.post-compile-weaving' version '8.1.0' // Not needed when using the functional approach @@ -452 +480,2 @@ log4j2logback - aspect 'software.amazon.lambda:powertools-logging-logback:2.5.0' + aspect 'software.amazon.lambda:powertools-logging:2.7.0' // Not needed when using the functional approach + implementation 'software.amazon.lambda:powertools-logging-logback:2.7.0' @@ -655 +684 @@ With ALC enabled, we are unable to increase the minimum log level below the `AWS -To use Lambda Powertools for AWS Lambda Logging, use the `@Logging` annotation in your code and the standard _SLF4J_ logger: +You can use Powertools for AWS Lambda Logging with either the `@Logging` annotation or the functional API: @@ -657 +686 @@ To use Lambda Powertools for AWS Lambda Logging, use the `@Logging` annotation i -PaymentFunction.java +@Logging annotationFunctional API @@ -699,0 +729,47 @@ PaymentFunction.java +---|--- + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 13 + 14 + 15 + 16 + 17 + 18 + 19 + +| + + + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + import software.amazon.lambda.powertools.logging.PowertoolsLogging; + // ... other imports + + public class PaymentFunction implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> { + + private static final Logger LOGGER = LoggerFactory.getLogger(PaymentFunction.class); + + public APIGatewayProxyResponseEvent handleRequest(final APIGatewayProxyRequestEvent input, final Context context) { + return PowertoolsLogging.withLogging(context, () -> { + LOGGER.info("Collecting payment"); + // ... + LOGGER.debug("order={}, amount={}", order.getId(), order.getAmount()); + // ... + return new APIGatewayProxyResponseEvent().withStatusCode(200); + }); + } + } + + @@ -738 +814 @@ Key | Type | Example | Description -You can set a correlation ID using the `correlationIdPath` attribute of the `@Logging`annotation, by passing a [JMESPath expression](https://jmespath.org/tutorial.html), including our custom [JMESPath Functions](../../utilities/serialization/#built-in-functions). +You can set a correlation ID using the `correlationIdPath` parameter by passing a [JMESPath expression](https://jmespath.org/tutorial.html), including our custom [JMESPath Functions](../../utilities/serialization/#built-in-functions). @@ -740 +816 @@ You can set a correlation ID using the `correlationIdPath` attribute of the `@Lo -AppCorrelationIdPath.javaExample HTTP EventCloudWatch Logs +@Logging annotationFunctional APIExample HTTP EventCloudWatch Logs @@ -770,0 +847,35 @@ AppCorrelationIdPath.javaExample HTTP EventCloudWatch Logs +---|--- + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 13 + +| + + + public class AppCorrelationIdPath implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> { + + private static final Logger LOGGER = LoggerFactory.getLogger(AppCorrelationIdPath.class); + + public APIGatewayProxyResponseEvent handleRequest(final APIGatewayProxyRequestEvent input, final Context context) { + return PowertoolsLogging.withLogging(context, "headers.my_request_id_header", input, () -> { + // ... + LOGGER.info("Collecting payment"); + // ... + return new APIGatewayProxyResponseEvent().withStatusCode(200); + }); + } + } + + @@ -819 +930 @@ To ease routine tasks like extracting correlation ID from popular event sources, -AppCorrelationId.javaExample EventExample CloudWatch Logs +@Logging annotationFunctional APIExample EventExample CloudWatch Logs @@ -853,0 +965,39 @@ AppCorrelationId.javaExample EventExample CloudWatch Logs +---|--- + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 13 + 14 + 15 + +| + + + import software.amazon.lambda.powertools.logging.CorrelationIdPaths; + + public class AppCorrelationId implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> { + + private static final Logger LOGGER = LoggerFactory.getLogger(AppCorrelationId.class); + + public APIGatewayProxyResponseEvent handleRequest(final APIGatewayProxyRequestEvent input, final Context context) { + return PowertoolsLogging.withLogging(context, CorrelationIdPaths.API_GATEWAY_REST, input, () -> { + // ... + LOGGER.info("Collecting payment"); + // ... + return new APIGatewayProxyResponseEvent().withStatusCode(200); + }); + } + } + +