question - does debug log contain sensitive data?

[Eliyahu-Machluf]

Hi,

I use the transfer client module for uploading files to s3 (aws-sdk-cpp-transfer).

When activating logs on trace mode, I see some debug prints which contains headers such as
[DEBUG] 2016-01-13 13:30:07 WinHttpSyncHttpClient [12768] authorization: AWS4-HMAC-SHA256 Credential=MY_ACCESS_KEY/20160113/us-west-2/s3/aws4_request, SignedHeaders=content-length;content-md5;content-type;host;user-agent;x-amz-content-sha256;x-amz-date, Signature=A_LONG_HEX_ENCODED_STRING
AWSAuthV4Signer [27720] Canonical Header String ...

My question is: does these logs contain sensitive data? Can anyone which see these lines steal this session? At my implementation I intend to redirect the logs to my application log. The application log can be viewed by non-authorized people. So I need to know whether these debug lines are safe or not, if not, I think i'll simply disable the option to turn trace/debug mode on aws-sdk-cpp-* module.

Thanks.

Eliyahu

[JonathanHenson]

Access key isn't sensitive and it goes across the wire anyways. Usually when you go to production, it is a best practice to set INFO level logging on your logger.

As for replaying a request.... sort of. The signature has a timestamp inside it that is only good for 5 minutes, and the request would have to be the exact same request you are making for the signatures to match. This protocol is designed to be safe for non-encrypted connections as well assuming you aren't sending sensitive payloads.

[Eliyahu-Machluf]

OK.

Thanks.