DMS replication task has TARGET_APPLY and TARGET_LOAD logging enabled with at least default severity
dms_replication_task_target_logging_enabled
AWS DMS replication tasks have target logging enabled, including TARGET_APPLY and TARGET_LOAD, each set to at least LOGGER_SEVERITY_DEFAULT.
Risk
Insufficient target logging limits visibility into load/apply activity, masking failures and anomalies. This risks data integrity (silent drift, partial loads) and availability (longer incident resolution), and reduces auditability of migration events.
prowler aws --checks dms_replication_task_target_logging_enabled
Recommendation
Enable and maintain CloudWatch logging at LOGGER_SEVERITY_DEFAULT or higher for target components:
- Configure
TARGET_APPLYandTARGET_LOAD - Enforce least-privilege log access
- Monitor logs/alerts for anomalies
- Standardize task settings and validate data for defense in depth
Remediation
aws dms modify-replication-task --replication-task-arn <task-arn> --replication-task-settings '{"Logging":{"EnableLogging":true,"LogComponents":[{"Id":"TARGET_APPLY","Severity":"LOGGER_SEVERITY_DEFAULT"},{"Id":"TARGET_LOAD","Severity":"LOGGER_SEVERITY_DEFAULT"}]}}'
# CloudFormation: enable DMS task logging for target components
Resources:
<example_resource_name>:
Type: AWS::DMS::ReplicationTask
Properties:
ReplicationInstanceArn: <example_resource_arn>
SourceEndpointArn: <example_resource_arn>
TargetEndpointArn: <example_resource_arn>
MigrationType: full-load
TableMappings: |
{"rules":[{"rule-type":"selection","rule-id":"1","rule-name":"1","object-locator":{"schema-name":"%","table-name":"%"},"rule-action":"include"}]}
ReplicationTaskSettings: |
{"Logging":{"EnableLogging":true, "LogComponents":[
{"Id":"TARGET_APPLY","Severity":"LOGGER_SEVERITY_DEFAULT"}, # Critical: ensure TARGET_APPLY logging at default
{"Id":"TARGET_LOAD","Severity":"LOGGER_SEVERITY_DEFAULT"} # Critical: ensure TARGET_LOAD logging at default
]}}
# Enable DMS task logging for target components
resource "aws_dms_replication_task" "<example_resource_name>" {
replication_task_id = "<example_resource_id>"
replication_instance_arn = "<example_resource_arn>"
source_endpoint_arn = "<example_resource_arn>"
target_endpoint_arn = "<example_resource_arn>"
migration_type = "full-load"
table_mappings = jsonencode({ rules = [{
"rule-type" : "selection", "rule-id" : "1", "rule-name" : "1",
"object-locator" : { "schema-name" : "%", "table-name" : "%" },
"rule-action" : "include"
}]} )
# Critical: enables logging and sets TARGET_APPLY and TARGET_LOAD to minimum required severity
replication_task_settings = jsonencode({
Logging = {
EnableLogging = true
LogComponents = [
{ Id = "TARGET_APPLY", Severity = "LOGGER_SEVERITY_DEFAULT" },
{ Id = "TARGET_LOAD", Severity = "LOGGER_SEVERITY_DEFAULT" }
]
}
})
}
- Open the AWS DMS console and go to Database migration tasks
- Select the replication task and choose Modify
- Expand Task settings (JSON) or Logging
- Enable CloudWatch logs (EnableLogging = true)
- Set log components:
- TARGET_APPLY severity: DEFAULT
- TARGET_LOAD severity: DEFAULT
- Save changes (Modify task), then rerun the task if required
Source Code
Resource Type
AwsDmsReplicationTask
References
- https://repost.aws/knowledge-center/dms-debug-logging
- https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.Logging.html
- https://stackoverflow.com/questions/46913913/aws-dms-with-cloudformation-enabling-logging-needs-a-log-group
- https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-7