Domain Scrubbing

Domain scrubbing allows you to prevent entire domains from being traced by Lumigo. Domain scrubbing prevents data from being sent by the Lumigo Tracer for domain-specific HTTP calls. The list of domains is defined using regular expressions. This feature ensures that data from specified domains is neither collected nor displayed in Lumigo's monitoring tools, and that interactions with sensitive services, such as credential stores or internal APIs, remain confidential and are not logged or analyzed by Lumigo's tracing mechanisms.

By leveraging regular expressions, Lumigo provides a flexible approach to define which domains should be excluded from tracing.

Default Behavior

Out of the box, Lumigo automatically scrubs domains associated with common AWS services known to handle sensitive data. This includes services like:

• AWS Secrets Manager
• AWS Systems Manager (SSM)
• AWS Key Management Service (KMS)
• AWS Security Token Service (STS).

By default, any HTTP calls made to these services are excluded from tracing. This measure ensures that sensitive operations, such as fetching secrets or managing encryption keys, are not inadvertently logged or exposed in trace data.

Customization

Lumigo allows developers to customize the list of domains to be scrubbed. To override the default regular expressions, add the LUMIGO_DOMAINS_SCRUBBER environment variable to your Lambda function, using a JSON-formatted array of regular expressions that match the domains meant to be excluded.

👍

Note

The value of LUMIGO_DOMAINS_SCRUBBER must be a valid JSON list.

Configuration Example

Replace "regex1" and "regex2" with regular expressions that match the domains you wish to exclude. For instance, to exclude all subdomains of example.com, you might use:

LUMIGO_DOMAINS_SCRUBBER = ["^.*\\.example\\.com$"]

This configuration ensures that any HTTP requests to domains matching the provided patterns are not traced by Lumigo.