Data quality insights, cluster-wide policies, and tokenization

Understand data quality health at a glance

The new Data Quality Insights dashboard provides a unified view of your data quality posture. A composite health score combines coverage (topics with policies) and enforcement (policies blocking violations) to help you identify whether you need more policies or stricter enforcement. Understand data quality →

Enforce resource policies across entire clusters

Resource policies can now be applied at the cluster level, not just per application. Attach governance rules, naming conventions, replication standards, or schema restrictions to a cluster and they automatically apply to all resources within it.

This enables centralized policy enforcement before applications are even provisioned—no per-app configuration required. Configure resource policies →

Tokenize sensitive data with HashiCorp Vault

Gateway now supports tokenization through HashiCorp Vault's Transform Secrets Engine. Unlike standard encryption, tokenization produces deterministic output—the same input always generates the same token.

This enables analytics on protected data: GROUP BY customer IDs, match patterns across transactions, or join records across systems without exposing sensitive values. Configure Vault tokenization →

Drill down to topic-level costs in Chargeback

Chargeback now breaks down storage and partition costs at the topic level. Filter by cluster or application instance to identify exactly which topics drive spend, with daily or monthly aggregation.

Works with Console's metadata indexer—no Gateway required. Use Chargeback without Gateway →

Quality of life improvements

• Insights filtering: Filter all Insights data by label or topic type; click any label to apply it as a filter
• Insights sorting: Tables in risk analysis, VIP topics, and governance sections now support column sorting and search
• Topic classification: Topic type labels shown alongside custom labels for easier identification
• Filtered exports: CSV exports include a -filtered suffix when filters are applied
• Metrics auth: Optional basic auth for metric scraping endpoints via CDK_MONITORING_BASICAUTH_EMAIL and CDK_MONITORING_BASICAUTH_PASSWORD
• Audit log redaction: Passwords, tokens, keys, and secrets now redacted in audit logs
• Webhook secrets: Environment variables supported in webhook alert configurations using {{env.CDK_WEBHOOK_SECRET_*}} syntax

For a full list of changes, read the complete release notes.

Enjoying the new features? Share your experience on G2