Which action best mitigates exposure of credentials in logs?

Minimizing credential exposure in logs relies on data minimization and protecting what remains. Excluding sensitive data from logs means credentials, tokens, and secrets aren’t written or stored in plain text, reducing the chance they’ll be exposed if logs are accessed. Encrypting storage adds a second layer of defense, so even if someone gains access to the log files, the information remains unreadable without the decryption key. Together, these practices cut the risk both at the moment of logging and while the logs are stored. Archiving logs in plaintext increases exposure risk because secrets could be read directly if the archives are accessed. Disabling all logging eliminates important auditing and visibility, which hinders detection and response to incidents. Storing logs in a publicly accessible location makes sensitive information trivially discoverable. By excluding sensitive data and encrypting storage, you strike a balance between useful logging and protecting credentials.