diff --git a/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandler.groovy b/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandler.groovy
index 20de73b4b..ff255d8f8 100644
--- a/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandler.groovy
+++ b/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandler.groovy
@@ -231,6 +231,11 @@ public class AWSBakeHandler extends CloudProviderBakeHandler {
     return new Bake(id: bakeId, ami: amiId, image_name: imageName, artifacts: artifacts)
   }
 
+  @Override
+  List<String> getMaskedPackerParameters() {
+    return awsBakeryDefaults.maskedPackerParameters
+  }
+
   private String lookupAmiByName(String name, String region, String account, VmType vmType, boolean mostRecent) {
     def images = AuthenticatedRequest.allowAnonymous(
       {
@@ -247,7 +252,7 @@ public class AWSBakeHandler extends CloudProviderBakeHandler {
     } else {
       image = images?.find { it.attributes.virtualizationType == vmType }
     }
-    
+
     return image?.amis?.get(region)?.first()
   }
 }
diff --git a/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/config/RoscoAWSConfiguration.groovy b/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/config/RoscoAWSConfiguration.groovy
index 4900ee6a0..95713a12f 100644
--- a/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/config/RoscoAWSConfiguration.groovy
+++ b/rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/config/RoscoAWSConfiguration.groovy
@@ -58,6 +58,7 @@ class RoscoAWSConfiguration {
     String templateFile
     BakeRequest.VmType defaultVirtualizationType
     List<AWSOperatingSystemVirtualizationSettings> baseImages = []
+    List<String> maskedPackerParameters = [ 'aws_access_key', 'aws_secret_key' ]
   }
 
   static class AWSOperatingSystemVirtualizationSettings {
diff --git a/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandlerSpec.groovy b/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandlerSpec.groovy
index 791fce1f4..c22feae09 100644
--- a/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandlerSpec.groovy
+++ b/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandlerSpec.groovy
@@ -1441,6 +1441,32 @@ class AWSBakeHandlerSpec extends Specification implements TestDefaults {
       1 * packerCommandFactoryMock.buildPackerCommand("", parameterMap, null, "$configDir/$awsBakeryDefaults.templateFile")
   }
 
+  void 'getMaskedPackerParameters returns the expected default'() {
+    setup:
+      @Subject
+      AWSBakeHandler awsBakeHandler = new AWSBakeHandler(awsBakeryDefaults: new RoscoAWSConfiguration.AWSBakeryDefaults())
+
+    when:
+      def maskedPackerParams = awsBakeHandler.maskedPackerParameters
+
+    then:
+      maskedPackerParams == [ 'aws_access_key', 'aws_secret_key' ]
+  }
+
+  void 'getMaskedPackerParameters returns the expected default'() {
+    setup:
+      def paramsToMask = [ 'foo' ]
+      @Subject
+      AWSBakeHandler awsBakeHandler = new AWSBakeHandler(awsBakeryDefaults: new RoscoAWSConfiguration.AWSBakeryDefaults(maskedPackerParameters: paramsToMask))
+
+
+    when:
+      def maskedPackerParams = awsBakeHandler.maskedPackerParameters
+
+    then:
+      maskedPackerParams == paramsToMask
+  }
+
   static class NoSleepRetry extends RetrySupport {
     void sleep(long time) {}
   }
diff --git a/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/util/LocalJobFriendlyPackerCommandFactorySpec.groovy b/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/util/LocalJobFriendlyPackerCommandFactorySpec.groovy
index 718b3066e..df9963d95 100644
--- a/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/util/LocalJobFriendlyPackerCommandFactorySpec.groovy
+++ b/rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/util/LocalJobFriendlyPackerCommandFactorySpec.groovy
@@ -75,18 +75,19 @@ class LocalJobFriendlyPackerCommandFactorySpec extends Specification implements
     when:
       def packerCommand = packerCommandFactory.buildPackerCommand("", parameterMap, null, "")
       def jobRequest = new JobRequest(tokenizedCommand: packerCommand, maskedParameters: maskedPackerParameters, jobId: SOME_UUID)
-      def commandLine = new CommandLine(jobRequest.tokenizedCommand[0])
-      def arguments = (String []) Arrays.copyOfRange(jobRequest.tokenizedCommand.toArray(), 1, jobRequest.tokenizedCommand.size())
+      def maskedTokenizedCommand = jobRequest.maskedTokenizedCommand
+      def commandLine = new CommandLine(maskedTokenizedCommand[0])
+      def arguments = (String []) Arrays.copyOfRange(maskedTokenizedCommand.toArray(), 1, maskedTokenizedCommand.size())
       commandLine.addArguments(arguments, false)
       def g = commandLine.toString()
       def cmdLineList =  commandLine.toStrings().toList()
 
-
     then:
       cmdLineList  == expectedCommandLine
 
     where:
-      parameterMap                          | maskedPackerParameters | expectedCommandLine
-      [packages: "package1 package2"]       | []                     | ["packer", "build", "-color=false", "-var", "packages=package1 package2"]
+      parameterMap                                              | maskedPackerParameters | expectedCommandLine
+      [packages: "package1 package2"]                           | []                     | ["packer", "build", "-color=false", "-var", "packages=package1 package2"]
+      [packages: "package1 package2", secret: "mysecret"]       | ["secret"]             | ["packer", "build", "-color=false", "-var", "packages=package1 package2", "-var", "secret=******"]
   }
 }