Encryption context keys and values logged at INFO level

**Component:** cmd/server/main.go:101-106 **Affected Version:** aws-encryption-provider @ 4341c70 (all versions) **Found by:** Source audit **TLP:** TLP:Amber --- ## Summary The server startup code logs all encryption context key-value pairs at INFO level. Encryption context is metadata associated with KMS operations that can contain sensitive information (tenant IDs, data classification labels, resource identifiers). INFO-level logs are typically collected by centralized logging systems where many operators have read access. --- ## Vulnerable Code ```go // cmd/server/main.go:101-106 for i, encryptionCtx := range encryptionCtxs { for k, v := range encryptionCtx { zap.L().Info("encryption-context", zap.Int("index", i), zap.String("key", k), zap.String( "value", v)) // <-- logs both key AND value at INFO level } } ``` Additionally, the plugin Encrypt/Decrypt methods log encryption context at DEBUG level: ```go // pkg/plugin/plugin.go:147 and plugin_v2.go:150 zap.L().Debug("configuring encryption context", zap.String("ctx", fmt.Sprintf("%v", p.encryptionCtx))) ``` ## Suggested Fix Log that encryption context is configured, but not the values: ```go zap.L().Info("encryption-context configured", zap.Int("index", i), zap.Int("pairs", len(encryptionCtx))) ``` ## Platform All platforms. Source audit finding. ## Impact ## Impact - Encryption context values visible in container stdout logs - In Kubernetes, stdout is captured by kubelet and forwarded to the cluster logging system (CloudWatch, Splunk, etc.) - Operators with log read access can see sensitive metadata - The DEBUG-level logging in the plugins is less severe (only active with `--debug` flag)