How to properly set file-mode for /var/log/cloud-init.log

In using the vendor-STIGs for RHEl7, the rsyslog_files_permissions Rule ID wants all files that rsyslog knows about to be set mode 0600 or more secure. I manually remediated the system - setting $umask 0277 in the /etc/rsyslog.conf, stripping rwx from group and other on all files under /var/log and rebooting. When the system reboots, all files remain at mode 0600 except for /var/log/cloud-init.log.

When I run the oscap report, it looks like, because rsyslog knows about this file (via /etc/rsyslog.d/21-cloudinit.conf), it's marking the rule-compliance as failed.

In digging around, it looks like the starting mode for /var/log/cloud-init.log is (re)set by python (rather than rsyslog). It looks like this behavior would notionally be configurable via the /etc/cloud/cloud.cfg.d/05_logging.cfg file. Unfortunately, in looking at info about that file (and generic python-logging config), I'm not seeing a promising method for forcing the mode for /var/log/cloud-init.log to be mode 0600 (admitedly, I'm rather muzzy-headed from cold medications, right now).

Am I missing something obvious, or am I in a "can't get there from here" situation? I really don't want to have to resort to an rc.local type of chmod kludge to move past this. :(

Any way, opened a BugZilla to see if this is a known issue and/or if there's a documented way around this scenario, but figured I'd post here in case someone could get me there more quickly.