Control: DMS replication tasks for the source database should have logging enabled
Description
This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.dms_replication_task_source_database_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.dms_replication_task_source_database_logging_enabled --shareSQL
This control uses a named query:
with replication_task_logging as ( select arn, bool_or(o ->> 'Id' = 'SOURCE_CAPTURE' and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) as capture_logging_enabled, bool_or(o ->> 'Id' = 'SOURCE_UNLOAD' and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) as unload_logging_enabled from aws_dms_replication_task, jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o group by arn)select t.arn as resource, (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool as logging_enabled, case when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool and l.capture_logging_enabled and l.unload_logging_enabled then 'ok' else 'alarm' end as status, case when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool and l.capture_logging_enabled and l.unload_logging_enabled then title || ' source database logging enabled.' else title || ' source database logging disabled.' end as reason
, region, account_idfrom aws_dms_replication_task as t left join replication_task_logging as l on l.arn = t.arn;