Log Injection on Aws
Aws-Specific Remediation
Remediating log injection in Aws requires implementing defense-in-depth strategies that combine input validation, output encoding, and Aws-native security features. Here's how to secure your Aws applications against log injection attacks.
Input Sanitization and Validation:
const sanitizeInput = (input) => {
if (typeof input !== 'string') {
return String(input);
}
// Remove control characters except newline (preserve legitimate formatting)
const sanitized = input.replace(/[^\x20-\x7E\n\r]/g, '');
// Limit length to prevent log flooding
return sanitized.substring(0, 1000);
};
exports.handler = async (event) => {
const userInput = sanitizeInput(event.queryStringParameters.input);
console.log(`Processing input: ${userInput}`);
return { statusCode: 200, body: 'Success' };
};This approach removes non-printable characters while preserving legitimate whitespace, preventing log structure manipulation.
Aws-native Security Features:
# AWS SAM template with enhanced logging security
Resources:
MyFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: nodejs18.x
Handler: index.handler
Policies:
- CloudWatchLambdaInsightsExecutionRolePolicy
Environment:
Variables:
LOG_LEVEL: INFO
LOG_MAX_LENGTH: 1000
Logging:
LogRetentionInDays: 30
LogFormat: JSON
LogLevel: INFO
LogSanitization:
- ControlCharacters
- SuspiciousPatterns
This configuration enables Aws-native log sanitization and retention policies that limit the impact of log injection attempts.
Structured Logging with Validation:
const safeLog = (message, data) => {
const sanitizedMessage = sanitizeInput(message);
const sanitizedData = typeof data === 'object' ? JSON.stringify(data) : String(data);
const logEntry = {
timestamp: new Date().toISOString(),
level: 'INFO',
message: sanitizedMessage,
data: sanitizedData.substring(0, 1000)
};
console.log(JSON.stringify(logEntry));
};
// Usage
exports.handler = async (event) => {
const userInput = event.queryStringParameters.input;
safeLog('Processing user input', { input: userInput });
return { statusCode: 200, body: 'Success' };
};Structured logging with built-in sanitization ensures that even if injection attempts occur, they cannot break the log format or create false entries.
CloudWatch Logs Insights Protection:
const validateLogQuery = (query) => {
// Prevent injection through CloudWatch Logs Insights queries
const blockedPatterns = [
/console\.log/gi,
/process\.env/gi,
/require\(/gi,
/eval\(/gi
];
return !blockedPatterns.some(pattern => pattern.test(query));
};
// Apply to user-provided queries
const userInputQuery = event.queryStringParameters.query;
if (validateLogQuery(userInputQuery)) {
// Execute query safely
} else {
console.warn('Invalid log query detected');
}This prevents attackers from using log query interfaces to execute malicious code or extract sensitive information.