The trick for PCI/PII environments is to stop relying on the raw slow query log for analysis and use Performance Schema digests instead. The events_statements_summary_by_digest table normalizes every query by replacing literal values with ?, so SELECT * FROM customers WHERE ssn = '123-45-6789' becomes SELECT * FROM customers WHERE ssn = ?. You still get execution counts, avg latency, max latency, rows examined, all grouped by query pattern. No sensitive data in the output.

For the Aurora CloudWatch piece, AWS has data protection policies you can attach to log groups that detect and mask PII patterns (credit cards, SSNs, emails) automatically before anyone without logs:Unmask permission can read them (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) That covers your slow query logs without changing anything on the MySQL side.

In practice the combination that works for PCI audits is Performance Schema digests for monitoring, CloudWatch data protection on the log groups, and strict IAM on anything storing raw query text.