The ability to mask sensitive parameters in logs is included as WAF configuration. It appears that if the service policy blocks traffic prior to WAF execution (i.e. via Malicious User Detection), the sensitive parameter masking is not run, resulting in leaking of sensitive data to logs.

The masking of sensitive parameters in logs should occur independently of the WAF.