diff --git a/apps/emqx_resource/src/emqx_resource_manager.erl b/apps/emqx_resource/src/emqx_resource_manager.erl
index f42d3c1b5..c9417583e 100644
--- a/apps/emqx_resource/src/emqx_resource_manager.erl
+++ b/apps/emqx_resource/src/emqx_resource_manager.erl
@@ -387,7 +387,7 @@ handle_event(EventType, EventData, State, Data) ->
             event_type => EventType,
             event_data => EventData,
             state => State,
-            data => Data
+            data => redact_data(Data)
         }
     ),
     keep_state_and_data.
@@ -397,15 +397,15 @@ log_state_consistency(State, #data{status = State} = Data) ->
 log_state_consistency(State, Data) ->
     ?tp(warning, "inconsistent_state", #{
         state => State,
-        data => Data
+        data => redact_data(Data)
     }).
 
 log_cache_consistency(Data, Data) ->
     ok;
 log_cache_consistency(DataCached, Data) ->
     ?tp(warning, "inconsistent_cache", #{
-        cache => DataCached,
-        data => Data
+        cache => redact_data(DataCached),
+        data => redact_data(Data)
     }).
 
 %%------------------------------------------------------------------------------
@@ -661,3 +661,9 @@ safe_call(ResId, Message, Timeout) ->
         exit:{timeout, _} ->
             {error, timeout}
     end.
+
+%% the config and state of a bridge often contains some sensitive data
+%% we shouldn't expose them to logs
+redact_data(Data) ->
+    Msg = <<"this data is redacted due to security reasons">>,
+    Data#data{config = Msg, state = Msg}.