DataSync task has CloudWatch Logs log group configured for logging
datasync_task_logging_enabled
AWS DataSync tasks are evaluated for a configured CloudWatch Logs destination (CloudWatchLogGroupArn).
Tasks that specify a log group are recognized as logging-enabled; those without one are identified as not publishing execution events.
Risk
Absent DataSync task logs create blind spots, preventing timely detection of failed or partial transfers, unexpected deletions, or anomalies. This undermines data integrity verification, obscures potential exfiltration indicators, and slows forensics and recovery, reducing availability during incidents.
prowler aws --checks datasync_task_logging_enabled
Recommendation
Configure each task to publish logs to a dedicated CloudWatch Logs group. Select an appropriate log level (e.g., BASIC or TRANSFER), enforce least privilege for log access, set retention and immutability, and integrate alerts. Centralize and monitor logs to support defense in depth and incident response.
Remediation
aws datasync update-task --task-arn <task-arn> --cloud-watch-log-group-arn <log-group-arn>
- In the AWS Console, go to DataSync > Tasks
- Select the task and click Edit
- In the Logging section, set CloudWatch Log group to an existing log group
- Click Save
Source Code
Resource Type
Other