Implement a new check for secrets in CloudWatch Logs

[Fennerr]

Is your feature request related to a problem? Please describe. Suggestion to implement a new check that performs the same secrets detection done for ECS task definitions/lambda code etc, but done against logs stored in CloudWatch to detect sensitive information being stored in logs in plaintext.

Describe the solution you'd like It is likely that it is not feasible to pull all the log streams for each cloudwatch log group. I suggest that ~5-10 streams are pulled, and run through secrets-detector. Something like the below could be altered and incorporated into the logs_client - with the logGroupName being a variable (for log_group in self.log_groups).

     stream_response = client.describe_log_streams(
        logGroupName="/aws/lambda/lambdaFnName", # Can be dynamic
        orderBy='LastEventTime',                 # For the latest events
        limit=5
        )

    for log_stream in stream_response["logStreams"]:
        logStreamName = log_stream["logStreamName"]

        response = client.get_log_events(
             logGroupName="/aws/lambda/lambdaFnName",
             logStreamName=logStreamName
        )

Describe alternatives you've considered None

Additional context None

[Fennerr]

If the team agrees that this is something worth implementing then Id be happy doing it - I would just like that someone else handles the metadata for the check.

[sergargar]

For sure @Fennerr , great idea! I could help you with the metadata 💪🏼