diff --git a/docs/sources/datasources/aws-cloudwatch/_index.md b/docs/sources/datasources/aws-cloudwatch/_index.md
index 3bb9a4160ef..39a0053a405 100644
--- a/docs/sources/datasources/aws-cloudwatch/_index.md
+++ b/docs/sources/datasources/aws-cloudwatch/_index.md
@@ -375,3 +375,7 @@ For more information, refer to the AWS documentation for [Service Quotas](https:
 The CloudWatch plugin enables you to monitor and troubleshoot applications across multiple regional accounts. Using cross-account observability, you can seamlessly search, visualize and analyze metrics and logs without worrying about account boundaries.
 
 To use this feature, configure in the [AWS console under Cloudwatch Settings](https://aws.amazon.com/blogs/aws/new-amazon-cloudwatch-cross-account-observability/), a monitoring and source account, and then add the necessary IAM permissions as described above.
+
+## CloudWatch Logs data protection
+
+CloudWatch Logs can safeguard data by using log group data protection policies. If you have data protection enabled for a log group, then any sensitive data that matches the data identifiers you've selected will be masked. In order to view masked data you will need to have the `logs:Unmask` IAM permission enabled. See the AWS documentation on how to [help protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) to learn more about this.
diff --git a/public/app/plugins/datasource/cloudwatch/components/LogsCheatSheet.tsx b/public/app/plugins/datasource/cloudwatch/components/LogsCheatSheet.tsx
index 0df75f024f1..f0d816e6941 100644
--- a/public/app/plugins/datasource/cloudwatch/components/LogsCheatSheet.tsx
+++ b/public/app/plugins/datasource/cloudwatch/components/LogsCheatSheet.tsx
@@ -216,6 +216,10 @@ const exampleCategory = css`
   margin-top: 5px;
 `;
 
+const link = css`
+  text-decoration: underline;
+`;
+
 export default class LogsCheatSheet extends PureComponent<
   QueryEditorHelpProps<CloudWatchQuery>,
   { userExamples: string[] }
@@ -280,6 +284,18 @@ export default class LogsCheatSheet extends PureComponent<
             ))}
           </div>
         ))}
+        <div>
+          If you are seeing masked data, you may have CloudWatch logs data protection enabled.{' '}
+          <a
+            className={cx(link)}
+            href="https://grafana.com/docs/grafana/latest/datasources/aws-cloudwatch/#cloudwatch-logs-data-protection"
+            target="_blank"
+            rel="noreferrer"
+          >
+            See documentation for details
+          </a>
+          .
+        </div>
       </div>
     );
   }