DMS replication task has TARGET_APPLY and TARGET_LOAD logging enabled with at least default severity
dms_replication_task_target_logging_enabled
AWS DMS replication tasks have target logging enabled, including TARGET_APPLY and TARGET_LOAD, each set to at least LOGGER_SEVERITY_DEFAULT.
Risk
Insufficient target logging limits visibility into load/apply activity, masking failures and anomalies. This risks data integrity (silent drift, partial loads) and availability (longer incident resolution), and reduces auditability of migration events.
prowler aws --checks dms_replication_task_target_logging_enabled
Recommendation
Enable and maintain CloudWatch logging at LOGGER_SEVERITY_DEFAULT or higher for target components:
- Configure
TARGET_APPLYandTARGET_LOAD - Enforce least-privilege log access
- Monitor logs/alerts for anomalies
- Standardize task settings and validate data for defense in depth
Remediation
aws dms modify-replication-task --replication-task-arn <task-arn> --replication-task-settings '{"Logging":{"EnableLogging":true,"LogComponents":[{"Id":"TARGET_APPLY","Severity":"LOGGER_SEVERITY_DEFAULT"},{"Id":"TARGET_LOAD","Severity":"LOGGER_SEVERITY_DEFAULT"}]}}'
- Open the AWS DMS console and go to Database migration tasks
- Select the replication task and choose Modify
- Expand Task settings (JSON) or Logging
- Enable CloudWatch logs (EnableLogging = true)
- Set log components:
- TARGET_APPLY severity: DEFAULT
- TARGET_LOAD severity: DEFAULT
- Save changes (Modify task), then rerun the task if required
Source Code
Resource Type
AwsDmsReplicationTask
References
- https://repost.aws/knowledge-center/dms-debug-logging
- https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.Logging.html
- https://stackoverflow.com/questions/46913913/aws-dms-with-cloudformation-enabling-logging-needs-a-log-group
- https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-7