Mask PII before logs are routed

Sensitive values can leak through debug logs and request payload logging.

Fixing data exposure after ingestion is slow and operationally risky.

Token-like fields and email addresses appear in raw request and error events.

Security teams require centralized redaction policy rather than manual service-by-service patches.

Apply deterministic masking for known sensitive keys and data patterns.

Sanitize logs in the pre-ingestion path so Datadog and S3 receive redacted payloads.

Audit masking rules as part of release and incident review cycles.