If this did in fact include PHI and someone wanted to redact, but did something wrong, we'll still end up logging the PHI. Does it make sense to just not log the body here?

Ah, I did miss this. Sorry. If the tradeoff is legally acceptable, I'm all for it. Easier debugging is always better.

Legally I think we're fine. The biggest risk I can think of would be constantly failing redaction logic that logs lots of data and we don't notice. An alternative would be to completely fail and to log the unredacted body. That would force a fix while giving enough data to debug when needed

@swain @indigocarmen What do you think?

What do you have in mind for when you say "completely fail". Since this happens in an SQS handler, it retries based on the queue settings.

I mean throw an exception without handling the message rather than keep going. Throwing the exception would mean that it would be hard to ignore the failure to redact. There would be a small amount of PHI logged for that one message. By logging a warning, it would be pretty easy to ignore and then have the logs full of PHI over many messages.

Hmm...I think if a developer has explicitly provided logic for redacting data from the message body, it seems like we should not definitely not log that data. Logging a small amount of PHI seems like it is theoretically not okay, right?

@mdlavin It seems like your goal in including that log is supporting debugging. Could we log the SQS message id for that particular record instead of the full body?

Logging a small amount of PHI seems like it is theoretically not okay

I think it's fine as an edgecase. Sumo can hold PHI and we want to minimize it.

Could we log the SQS message id for that particular record instead of the full body?

How does a developer debug with that?

Could we log the SQS message id for that particular record instead of the full body?

How does a developer debug with that?

Good question. Thinking deeper, I couldn't come up with a solid path.

I think it's fine as an edgecase. Sumo can hold PHI and we want to minimize it.

I think I disagree about having the behavior in this package, but I'm willing to commit. You're the first user of the feature, and it seems like you feel like it is important and will be useful.

It does seem like it should be possible to create a redacted log message that does contain PHI, but is still useful for debugging (e.g. contains ids, etc). But, approving to trust your judgement.

I just pushed a new fix. Here is how the code should work:

1. If no redaction is enabled then the event body is logged as is
2. If redaction is enabled and it does not error, then the redacted event body is logged
3. If redaction is enabled and it fails, then the event is logged with the whole body repalced with 'REDACTED' and an RSA encrypted blob holding the body to be used for debugging. Devs could keep a private key to use for accessing the details when critical
4. If redaction fail, and encryption fails, then the body is logged as 'REDACTED', the encryption failure is logged. No way to debug from this. Need to deliver a code fix to repair the failed encryption

It's the best mix of security + developer experience I could come up with. Sensitive data is unlikely to be leaked by accident and developers can get access to the failed event body by jumping through some manual steps of RSA decryption.