SST adds unwanted CloudWatch Subscription Filter

[bram-l]

We have noticed that CloudWatch Log Groups for Lambda functions deployed with SST (V2) have a Subscription Filter that seems
to forward logs to an external account:

$ aws logs describe-subscription-filters --log-group-name "/aws/lambda/***"

{
    "subscriptionFilters": [
        {
            "filterName": "sst#***#***#***#***",
            "logGroupName": "/aws/lambda/***",
            "filterPattern": "?\"Invoke Error\" ?\"Error: Runtime exited\" ?\"Task timed out after\" ?\"\tERROR\t\" ?\"[ERROR]\"",
            "destinationArn": "arn:aws:logs:eu-west-1:226609089145:destination:sst#***#***#***#***",
            "distribution": "ByLogStream",
            "creationTime": 1710931935292
        }
    ]
}

This has raised security concerns as the 226609089145 account is not ours. I see it referenced in other places in the SST repos, so I'd assume it's owned by the team maintaining SST. Even though a very specific filter pattern is being used, it does include application error logs which might contain sensitive information.

Could you please share what this is used for, and more importantly, how can we disable this behaviour?

[jayair]

Did you enable the SST Console? https://docs.sst.dev/console#how-it-works

[bram-l]

Thanks @jayair! I wasn't aware, but Indeed somebody had signed up for SST Console granting this permission..