AWS SDK instrumentation logs entire DynamoDB statement, including potentially sensitive values #1053
Comments
monken
changed the title
|
We should probably add a Would you be willing to contribute a PR to do that? |
|
@blumamir I can take a crack at it. I thought this was an officially supported library by AWS (they definitely promote it) but it seems like this is mostly supported by Dynatrace and other companies. |
|
@NathanielRN @willarmiros trivikr are from AWS and were involved in the past with this instrumentation |
|
I've seen our X-Ray AWS SDK sanitize trace at times like in this PR aws/aws-xray-sdk-go#228 where we sanitized the HTTP URL query and we seem to have done efforts to sanitize the query in the X-Ray Go SDK in the past? Other than that, we don't have precedence for it, so we wouldn't have too much bias when proposed ideas come around 🙂 |
|
Trying to come up with a good sanitization strategy per API call. I suggest an allow-list approach where we maintain a list of attributes that are safe to capture. Only capture the command input for the following actions:
Always include the following attributes if present:
This means the following attributes will be excluded (and future attributes):
|
|
@monken Thank you for taking the time to construct this list and for bringing up this issue. My suggestion is to implement this behavior as default and to allow easy hooking via instrumentation configuration so users can customize which properties they want to capture per service / command. If you have time, it could also be interesting to take a look at how aws-sdk instrumentations in other languages capture the db.statement for dynamo. |
|
The aws-xray-sdk doesn't capture anything except the |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
|
This issue was closed because it has been stale for 14 days with no activity. |
|
Has there been any update on this with regard the AWS instrumentation exposing DynamoDB queries as an attribute? |
What version of OpenTelemetry are you using?
OpenTelemetry Lambda extension, version: v0.1.0
What version of Node are you using?
NodeJS 16
What did you do?
Use the Lambda Layer for instrumentation
What did you expect to see?
I expected not to see the whole DynamoDB statement to be part of the trace. This should not be the default. The statement will most likely include very sensitive information that you don't want to leak to your observability toolchain.
Example:
{ "metadata": { "default": { "aws.service.api": "DynamoDB", "aws.signature.version": "v4", "aws.service.name": "DynamoDB", "db.statement": "{\"TableName\":\"table-name\",\"FilterExpression\":\"begins_with(GSI1PK,:a)\",\"ExpressionAttributeValues\":{\":a\":\"U:abcabcabc:\"}}", "rpc.service": "DynamoDB", "aws.service.identifier": "dynamodb", "db.system": "dynamodb", "aws.request.id": "B115QKDKVVJF66Q9ASUAAJG", "db.operation": "Scan", "rpc.system": "aws-api", "db.name": "table-name" } } }What did you see instead?
I saw the entire DynamoDB statement, unscrubbed.
Additional context
Culprit is https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/plugins/node/opentelemetry-instrumentation-aws-sdk/src/services/dynamodb.ts#L39 where the entire DynamoDB statement is serialized and added to the trace.
The text was updated successfully, but these errors were encountered: