diff --git a/docs/sources/enterprise/kms-integration/using-aws-kms-to-encrypt-database-secrets.md b/docs/sources/enterprise/kms-integration/using-aws-kms-to-encrypt-database-secrets.md
index 0b49a16a217..b91655c753c 100644
--- a/docs/sources/enterprise/kms-integration/using-aws-kms-to-encrypt-database-secrets.md
+++ b/docs/sources/enterprise/kms-integration/using-aws-kms-to-encrypt-database-secrets.md
@@ -39,7 +39,6 @@ You can use an encryption key from AWS Key Management Service to encrypt secrets
 
    - `access_key_id`: The AWS Access Key ID that you previously generated.
    - `secret_access_key`: The AWS Secret Access Key you previously generated.
-   - `token`: (Optional) An AWS Session Token, which you must provide if you created temporary credentials.
    - `region`: The AWS region where you created the KMS key. The region is contained in the key’s ARN. For example: `arn:aws:kms:*us-east-2*:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
 
    An example of an AWS KMS provider section in the `grafana.ini` file is as follows:
@@ -53,8 +52,6 @@ You can use an encryption key from AWS Key Management Service to encrypt secrets
    ;access_key_id = AKIAIOSFODNN7EXAMPLE
    # AWS secret access key
    ;secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-   # AWS session token, optional
-   ;token = AQoDYXdzEJr...<REMAINDER OF SECURITY TOKEN>
    # AWS region, for example eu-north-1
    ;region = eu-north-1
    ```
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index 9712d1d3632..1b9f48c870a 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -472,7 +472,6 @@ func RedactedValue(key, value string) string {
 		"ACCOUNT_KEY",
 		"ENCRYPTION_KEY",
 		"VAULT_TOKEN",
-		"AWSKMS_.*_TOKEN",
 	} {
 		if match, err := regexp.MatchString(pattern, uppercased); match && err == nil {
 			return RedactedPassword