🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 7 DMS replication tasks for the target database should have logging enabled

Description

This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks TARGET_APPLY and TARGET_LOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT.

DMS uses Amazon CloudWatch to log information during the migration process. Using logging task settings, you can specify which component activities are logged and how much information is logged. You should specify logging for the following tasks:

  • TARGET_APPLY – Data and data definition language (DDL) statements are applied to the target database.

  • TARGET_LOAD – Data is loaded into the target database.

Logging plays a critical role in DMS replication tasks by enabling monitoring, troubleshooting, auditing, performance analysis, error detection, and recovery, as well as historical analysis and reporting. It helps ensure the successful replication of data between databases while maintaining data integrity and compliance with regulatory requirements. Logging levels other than DEFAULT are rarely needed for these components during troubleshooting. We recommend keeping the logging level as DEFAULT for these components unless specifically requested to change it by AWS Support. A minimal logging level of DEFAULT ensures that informational messages, warnings, and error messages are written to the logs. This control checks if the logging level is at least one of the following for the preceding replication tasks: LOGGER_SEVERITY_DEFAULT, LOGGER_SEVERITY_DEBUG, or LOGGER_SEVERITY_DETAILED_DEBUG

Remediation

To enable logging for target database DMS replication tasks, see Viewing and managing AWS DMS task logs in the AWS Database Migration Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_dms_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_dms_7 --share

SQL

This control uses a named query:

with replication_task_target_apply as (
  select
    arn
  from
    aws_dms_replication_task,
    jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o
  where
    o ->> 'Id' = 'TARGET_APPLY'
    and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')
), replication_task_target_load as (
  select
    arn
  from
    aws_dms_replication_task,
    jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o
  where
    o ->> 'Id' = 'TARGET_LOAD'
    and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')
)
select
  t.arn as resource,
  (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool,
  case
    when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool
      and a.arn is not null
      and l.arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool
      and a.arn is not null
      and l.arn is not null then title || ' target database logging enabled.'
    else title || 'target database logging disabled.'
  end as reason
  
  , region, account_id
from
  aws_dms_replication_task as t
  left join replication_task_target_apply as a on a.arn = t.arn
  left join replication_task_target_load as l on l.arn = t.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = dms_7
plugin = aws
service = AWS/DMS