Allow sanitization of headers when logging requests/respones

[NikolayMetchev]

Describe the feature

It would be good to add a feature similar to KtorClient:
https://ktor.io/docs/client-logging.html#7641443b_69
Which would allow sanitization of headers such as Authorization and X-Amz-Security-Token. This will apply when setting the LogMode to anything other than default.
In fact it would be good if the SDK did that by default

Is your feature request related to a problem?

Logging sensitive tokens is a security risk

Proposed Solution

No response

Describe alternative solutions or features you've considered

No response

Acknowledge

• I may be able to implement this feature request

AWS SDK for Kotlin version

1.3.68

Platform (JVM/JS/Native)

jvm

Operating system and version

linux

[ianbotsf]

Hi @NikolayMetchev, thanks for the feature request. We don't presently sanitize the Authorization or X-Amz-Security-Token header values because AWS does not consider them to be sensitive for the following reasons:

• The Authorization header contains a calculated signature but it's derived via cryptographic hash function involving a substantial amount of entropy. It would not be possible to reverse the function to discover credentials or other secrets from a signature.
• The X-Amz-Security-Token contains a short-term token from STS which forms a part of full credentials (just like access key ID) but is not sufficient for authorization on its own—it's only meaningful alongside an access key ID and secret access key.

That said, I understand why there might be concerns around logging them when opted into request/response logging. We'll investigate a feature to support this.