The aws:workspacesweb/dataProtectionSettings:DataProtectionSettings resource, part of the Pulumi AWS provider, defines data protection settings that control how WorkSpaces Web redacts sensitive information in streaming browser sessions. This guide focuses on three capabilities: built-in pattern detection, custom regex patterns, and URL-based enforcement rules.
Data protection settings must be associated with a WorkSpaces Web portal to take effect. The examples are intentionally small. Combine them with portal associations and your own KMS keys for production deployments.
Create minimal data protection settings
Teams start by creating a named data protection settings resource that can later be associated with a web portal.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.DataProtectionSettings("example", {displayName: "example"});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.DataProtectionSettings("example", display_name="example")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewDataProtectionSettings(ctx, "example", &workspacesweb.DataProtectionSettingsArgs{
DisplayName: pulumi.String("example"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.DataProtectionSettings("example", new()
{
DisplayName = "example",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.DataProtectionSettings;
import com.pulumi.aws.workspacesweb.DataProtectionSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataProtectionSettings("example", DataProtectionSettingsArgs.builder()
.displayName("example")
.build());
}
}
resources:
example:
type: aws:workspacesweb:DataProtectionSettings
properties:
displayName: example
The displayName property identifies the settings resource. Without inline redaction configuration, the settings exist but don’t actively redact content. You must associate these settings with a portal using a separate resource for them to control streaming sessions.
Redact sensitive patterns with built-in detection
Organizations handling regulated data configure WorkSpaces Web to detect and redact patterns like Social Security numbers automatically.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.DataProtectionSettings("example", {
displayName: "example",
description: "Example data protection settings",
inlineRedactionConfiguration: {
globalConfidenceLevel: 2,
globalEnforcedUrls: ["https://example.com"],
inlineRedactionPatterns: [{
builtInPatternId: "ssn",
confidenceLevel: 3,
redactionPlaceHolders: [{
redactionPlaceHolderType: "CustomText",
redactionPlaceHolderText: "REDACTED",
}],
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.DataProtectionSettings("example",
display_name="example",
description="Example data protection settings",
inline_redaction_configuration={
"global_confidence_level": 2,
"global_enforced_urls": ["https://example.com"],
"inline_redaction_patterns": [{
"built_in_pattern_id": "ssn",
"confidence_level": 3,
"redaction_place_holders": [{
"redaction_place_holder_type": "CustomText",
"redaction_place_holder_text": "REDACTED",
}],
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewDataProtectionSettings(ctx, "example", &workspacesweb.DataProtectionSettingsArgs{
DisplayName: pulumi.String("example"),
Description: pulumi.String("Example data protection settings"),
InlineRedactionConfiguration: &workspacesweb.DataProtectionSettingsInlineRedactionConfigurationArgs{
GlobalConfidenceLevel: pulumi.Int(2),
GlobalEnforcedUrls: pulumi.StringArray{
pulumi.String("https://example.com"),
},
InlineRedactionPatterns: workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArray{
&workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs{
BuiltInPatternId: pulumi.String("ssn"),
ConfidenceLevel: pulumi.Int(3),
RedactionPlaceHolders: workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArray{
&workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs{
RedactionPlaceHolderType: pulumi.String("CustomText"),
RedactionPlaceHolderText: pulumi.String("REDACTED"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.DataProtectionSettings("example", new()
{
DisplayName = "example",
Description = "Example data protection settings",
InlineRedactionConfiguration = new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationArgs
{
GlobalConfidenceLevel = 2,
GlobalEnforcedUrls = new[]
{
"https://example.com",
},
InlineRedactionPatterns = new[]
{
new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs
{
BuiltInPatternId = "ssn",
ConfidenceLevel = 3,
RedactionPlaceHolders = new[]
{
new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs
{
RedactionPlaceHolderType = "CustomText",
RedactionPlaceHolderText = "REDACTED",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.DataProtectionSettings;
import com.pulumi.aws.workspacesweb.DataProtectionSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.DataProtectionSettingsInlineRedactionConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataProtectionSettings("example", DataProtectionSettingsArgs.builder()
.displayName("example")
.description("Example data protection settings")
.inlineRedactionConfiguration(DataProtectionSettingsInlineRedactionConfigurationArgs.builder()
.globalConfidenceLevel(2)
.globalEnforcedUrls("https://example.com")
.inlineRedactionPatterns(DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs.builder()
.builtInPatternId("ssn")
.confidenceLevel(3)
.redactionPlaceHolders(DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs.builder()
.redactionPlaceHolderType("CustomText")
.redactionPlaceHolderText("REDACTED")
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:DataProtectionSettings
properties:
displayName: example
description: Example data protection settings
inlineRedactionConfiguration:
globalConfidenceLevel: 2
globalEnforcedUrls:
- https://example.com
inlineRedactionPatterns:
- builtInPatternId: ssn
confidenceLevel: 3
redactionPlaceHolders:
- redactionPlaceHolderType: CustomText
redactionPlaceHolderText: REDACTED
The inlineRedactionConfiguration property enables pattern-based redaction. The builtInPatternId references AWS-managed detection rules (like “ssn” for Social Security numbers). The confidenceLevel controls detection sensitivity: higher values reduce false positives but may miss variations. The redactionPlaceHolders property defines what users see when data is redacted; here, “REDACTED” replaces detected SSNs. The globalEnforcedUrls property limits redaction to specific domains, reducing performance impact on unrelated sites.
Combine encryption, custom patterns, and URL controls
Production deployments add customer-managed encryption, custom regex patterns for organization-specific formats, and fine-grained URL controls.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "KMS key for WorkSpaces Web Data Protection Settings",
deletionWindowInDays: 7,
});
const exampleDataProtectionSettings = new aws.workspacesweb.DataProtectionSettings("example", {
displayName: "example-complete",
description: "Complete example data protection settings",
customerManagedKey: example.arn,
additionalEncryptionContext: {
Environment: "Production",
},
inlineRedactionConfiguration: {
globalConfidenceLevel: 2,
globalEnforcedUrls: [
"https://example.com",
"https://test.example.com",
],
globalExemptUrls: ["https://exempt.example.com"],
inlineRedactionPatterns: [
{
builtInPatternId: "ssn",
confidenceLevel: 3,
enforcedUrls: ["https://pattern1.example.com"],
exemptUrls: ["https://exempt-pattern1.example.com"],
redactionPlaceHolders: [{
redactionPlaceHolderType: "CustomText",
redactionPlaceHolderText: "REDACTED-SSN",
}],
},
{
customPattern: {
patternName: "CustomPattern",
patternRegex: "/\\d{3}-\\d{2}-\\d{4}/g",
keywordRegex: "/SSN|Social Security/gi",
patternDescription: "Custom SSN pattern",
},
redactionPlaceHolders: [{
redactionPlaceHolderType: "CustomText",
redactionPlaceHolderText: "REDACTED-CUSTOM",
}],
},
],
},
tags: {
Name: "example-data-protection-settings",
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="KMS key for WorkSpaces Web Data Protection Settings",
deletion_window_in_days=7)
example_data_protection_settings = aws.workspacesweb.DataProtectionSettings("example",
display_name="example-complete",
description="Complete example data protection settings",
customer_managed_key=example.arn,
additional_encryption_context={
"Environment": "Production",
},
inline_redaction_configuration={
"global_confidence_level": 2,
"global_enforced_urls": [
"https://example.com",
"https://test.example.com",
],
"global_exempt_urls": ["https://exempt.example.com"],
"inline_redaction_patterns": [
{
"built_in_pattern_id": "ssn",
"confidence_level": 3,
"enforced_urls": ["https://pattern1.example.com"],
"exempt_urls": ["https://exempt-pattern1.example.com"],
"redaction_place_holders": [{
"redaction_place_holder_type": "CustomText",
"redaction_place_holder_text": "REDACTED-SSN",
}],
},
{
"custom_pattern": {
"pattern_name": "CustomPattern",
"pattern_regex": "/\\d{3}-\\d{2}-\\d{4}/g",
"keyword_regex": "/SSN|Social Security/gi",
"pattern_description": "Custom SSN pattern",
},
"redaction_place_holders": [{
"redaction_place_holder_type": "CustomText",
"redaction_place_holder_text": "REDACTED-CUSTOM",
}],
},
],
},
tags={
"Name": "example-data-protection-settings",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("KMS key for WorkSpaces Web Data Protection Settings"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = workspacesweb.NewDataProtectionSettings(ctx, "example", &workspacesweb.DataProtectionSettingsArgs{
DisplayName: pulumi.String("example-complete"),
Description: pulumi.String("Complete example data protection settings"),
CustomerManagedKey: example.Arn,
AdditionalEncryptionContext: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
InlineRedactionConfiguration: &workspacesweb.DataProtectionSettingsInlineRedactionConfigurationArgs{
GlobalConfidenceLevel: pulumi.Int(2),
GlobalEnforcedUrls: pulumi.StringArray{
pulumi.String("https://example.com"),
pulumi.String("https://test.example.com"),
},
GlobalExemptUrls: pulumi.StringArray{
pulumi.String("https://exempt.example.com"),
},
InlineRedactionPatterns: workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArray{
&workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs{
BuiltInPatternId: pulumi.String("ssn"),
ConfidenceLevel: pulumi.Int(3),
EnforcedUrls: pulumi.StringArray{
pulumi.String("https://pattern1.example.com"),
},
ExemptUrls: pulumi.StringArray{
pulumi.String("https://exempt-pattern1.example.com"),
},
RedactionPlaceHolders: workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArray{
&workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs{
RedactionPlaceHolderType: pulumi.String("CustomText"),
RedactionPlaceHolderText: pulumi.String("REDACTED-SSN"),
},
},
},
&workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs{
CustomPattern: &workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternCustomPatternArgs{
PatternName: pulumi.String("CustomPattern"),
PatternRegex: pulumi.String("/\\d{3}-\\d{2}-\\d{4}/g"),
KeywordRegex: pulumi.String("/SSN|Social Security/gi"),
PatternDescription: pulumi.String("Custom SSN pattern"),
},
RedactionPlaceHolders: workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArray{
&workspacesweb.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs{
RedactionPlaceHolderType: pulumi.String("CustomText"),
RedactionPlaceHolderText: pulumi.String("REDACTED-CUSTOM"),
},
},
},
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-data-protection-settings"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "KMS key for WorkSpaces Web Data Protection Settings",
DeletionWindowInDays = 7,
});
var exampleDataProtectionSettings = new Aws.WorkSpacesWeb.DataProtectionSettings("example", new()
{
DisplayName = "example-complete",
Description = "Complete example data protection settings",
CustomerManagedKey = example.Arn,
AdditionalEncryptionContext =
{
{ "Environment", "Production" },
},
InlineRedactionConfiguration = new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationArgs
{
GlobalConfidenceLevel = 2,
GlobalEnforcedUrls = new[]
{
"https://example.com",
"https://test.example.com",
},
GlobalExemptUrls = new[]
{
"https://exempt.example.com",
},
InlineRedactionPatterns = new[]
{
new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs
{
BuiltInPatternId = "ssn",
ConfidenceLevel = 3,
EnforcedUrls = new[]
{
"https://pattern1.example.com",
},
ExemptUrls = new[]
{
"https://exempt-pattern1.example.com",
},
RedactionPlaceHolders = new[]
{
new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs
{
RedactionPlaceHolderType = "CustomText",
RedactionPlaceHolderText = "REDACTED-SSN",
},
},
},
new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs
{
CustomPattern = new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternCustomPatternArgs
{
PatternName = "CustomPattern",
PatternRegex = "/\\d{3}-\\d{2}-\\d{4}/g",
KeywordRegex = "/SSN|Social Security/gi",
PatternDescription = "Custom SSN pattern",
},
RedactionPlaceHolders = new[]
{
new Aws.WorkSpacesWeb.Inputs.DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs
{
RedactionPlaceHolderType = "CustomText",
RedactionPlaceHolderText = "REDACTED-CUSTOM",
},
},
},
},
},
Tags =
{
{ "Name", "example-data-protection-settings" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.workspacesweb.DataProtectionSettings;
import com.pulumi.aws.workspacesweb.DataProtectionSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.DataProtectionSettingsInlineRedactionConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("KMS key for WorkSpaces Web Data Protection Settings")
.deletionWindowInDays(7)
.build());
var exampleDataProtectionSettings = new DataProtectionSettings("exampleDataProtectionSettings", DataProtectionSettingsArgs.builder()
.displayName("example-complete")
.description("Complete example data protection settings")
.customerManagedKey(example.arn())
.additionalEncryptionContext(Map.of("Environment", "Production"))
.inlineRedactionConfiguration(DataProtectionSettingsInlineRedactionConfigurationArgs.builder()
.globalConfidenceLevel(2)
.globalEnforcedUrls(
"https://example.com",
"https://test.example.com")
.globalExemptUrls("https://exempt.example.com")
.inlineRedactionPatterns(
DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs.builder()
.builtInPatternId("ssn")
.confidenceLevel(3)
.enforcedUrls("https://pattern1.example.com")
.exemptUrls("https://exempt-pattern1.example.com")
.redactionPlaceHolders(DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs.builder()
.redactionPlaceHolderType("CustomText")
.redactionPlaceHolderText("REDACTED-SSN")
.build())
.build(),
DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternArgs.builder()
.customPattern(DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternCustomPatternArgs.builder()
.patternName("CustomPattern")
.patternRegex("/\\d{3}-\\d{2}-\\d{4}/g")
.keywordRegex("/SSN|Social Security/gi")
.patternDescription("Custom SSN pattern")
.build())
.redactionPlaceHolders(DataProtectionSettingsInlineRedactionConfigurationInlineRedactionPatternRedactionPlaceHolderArgs.builder()
.redactionPlaceHolderType("CustomText")
.redactionPlaceHolderText("REDACTED-CUSTOM")
.build())
.build())
.build())
.tags(Map.of("Name", "example-data-protection-settings"))
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: KMS key for WorkSpaces Web Data Protection Settings
deletionWindowInDays: 7
exampleDataProtectionSettings:
type: aws:workspacesweb:DataProtectionSettings
name: example
properties:
displayName: example-complete
description: Complete example data protection settings
customerManagedKey: ${example.arn}
additionalEncryptionContext:
Environment: Production
inlineRedactionConfiguration:
globalConfidenceLevel: 2
globalEnforcedUrls:
- https://example.com
- https://test.example.com
globalExemptUrls:
- https://exempt.example.com
inlineRedactionPatterns:
- builtInPatternId: ssn
confidenceLevel: 3
enforcedUrls:
- https://pattern1.example.com
exemptUrls:
- https://exempt-pattern1.example.com
redactionPlaceHolders:
- redactionPlaceHolderType: CustomText
redactionPlaceHolderText: REDACTED-SSN
- customPattern:
patternName: CustomPattern
patternRegex: /\d{3}-\d{2}-\d{4}/g
keywordRegex: /SSN|Social Security/gi
patternDescription: Custom SSN pattern
redactionPlaceHolders:
- redactionPlaceHolderType: CustomText
redactionPlaceHolderText: REDACTED-CUSTOM
tags:
Name: example-data-protection-settings
The customerManagedKey property references a KMS key ARN for encrypting settings data at rest. Custom patterns use patternRegex to define detection rules and keywordRegex to improve accuracy by requiring context keywords. The globalEnforcedUrls and globalExemptUrls properties control where redaction applies across all patterns, while pattern-specific enforcedUrls and exemptUrls provide granular overrides. This configuration combines built-in SSN detection with a custom pattern, each using different redaction placeholders and URL rules.
Beyond these examples
These snippets focus on specific data protection features: built-in and custom pattern detection, customer-managed encryption, and URL-based enforcement and exemptions. They’re intentionally minimal rather than full WorkSpaces Web deployments.
The examples may reference pre-existing infrastructure such as KMS keys for customer-managed encryption and WorkSpaces Web portals for association. They focus on configuring data protection settings rather than provisioning the surrounding portal infrastructure.
To keep things focused, common data protection patterns are omitted, including:
- Portal association (requires separate PortalDataProtectionSettingsAssociation resource)
- Additional encryption context usage patterns
- Confidence level tuning for different data types
- Pattern testing and validation workflows
These omissions are intentional: the goal is to illustrate how each data protection feature is wired, not provide drop-in compliance modules. See the WorkSpaces Web Data Protection Settings resource reference for all available configuration options.
Let's configure AWS WorkSpaces Web Data Protection Settings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Core Concepts & Setup
What does this resource do and when does it take effect?
Data protection settings control how sensitive information is redacted in WorkSpaces Web streaming sessions. The settings take effect once associated with a web portal.
How do I associate data protection settings with a web portal?
Create the data protection settings resource first, then associate it with a web portal resource. The
associatedPortalArns output shows which portals are using these settings.Redaction Patterns & Configuration
How do I redact sensitive data like Social Security Numbers?
Configure
inlineRedactionConfiguration with inlineRedactionPatterns. Use builtInPatternId set to ssn for Social Security Numbers, and specify a redactionPlaceHolder for the replacement text.What's the difference between built-in and custom redaction patterns?
Built-in patterns use
builtInPatternId (like ssn) for predefined sensitive data types. Custom patterns use customPattern with your own patternRegex and keywordRegex for organization-specific data.What are confidence levels and what values can I use?
Confidence levels control redaction sensitivity. The examples show values of 2 and 3, with higher numbers indicating stricter matching. Set
globalConfidenceLevel for all patterns or confidenceLevel per pattern.What placeholder types are available for redacted content?
The examples show
CustomText as the redactionPlaceHolderType, which lets you specify custom replacement text via redactionPlaceHolderText (like “REDACTED” or “REDACTED-SSN”).URL Controls
Can I control which URLs apply redaction rules?
Yes, use
globalEnforcedUrls to apply redaction to specific URLs and globalExemptUrls to exclude URLs. You can also set enforcedUrls and exemptUrls per individual pattern for fine-grained control.What's the difference between global and pattern-level URL controls?
Global URL controls (
globalEnforcedUrls, globalExemptUrls) apply to all redaction patterns. Pattern-level controls (enforcedUrls, exemptUrls) override globals for specific patterns.Encryption & Security
How do I encrypt data protection settings with a customer-managed KMS key?
Set
customerManagedKey to the ARN of your KMS key. Optionally, provide additionalEncryptionContext for extra encryption metadata.