diff --git a/packages/aws-cdk/lib/commands/doctor.ts b/packages/aws-cdk/lib/commands/doctor.ts
index 8b19bb3be0cbc..94fa2d638ebef 100644
--- a/packages/aws-cdk/lib/commands/doctor.ts
+++ b/packages/aws-cdk/lib/commands/doctor.ts
@@ -45,7 +45,7 @@ function displayAwsEnvironmentVariables() {
   }
   print('ℹ️ AWS environment variables:');
   for (const key of keys) {
-    print(`  - ${colors.blue(key)} = ${colors.green(process.env[key]!)}`);
+    print(`  - ${colors.blue(key)} = ${colors.green(anonymizeAwsVariable(key, process.env[key]!))}`);
   }
   return true;
 }
@@ -68,3 +68,9 @@ function displayCdkEnvironmentVariables() {
   }
   return healthy;
 }
+
+function anonymizeAwsVariable(name: string, value: string) {
+  if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '<redacted>'; }  // Show ASIA/AKIA key type, but hide identifier
+  if (name === 'AWS_SECRET_ACCESS_KEY' || name === 'AWS_SESSION_TOKEN') { return '<redacted>'; }
+  return value;
+}