Profile Applicability

  • Level 2

Description

AWS Database Migration Service (DMS) replication tasks can log activity and diagnostic information for the source database, enabling effective monitoring and troubleshooting. Enabling logging helps identify issues, track performance, and comply with operational best practices by providing detailed logs of task execution.

Rationale

  • Enhanced Monitoring: Provides insights into task progress, errors, and performance.

  • Improved Troubleshooting: Simplifies error identification and debugging.

  • Compliance: Supports operational monitoring requirements and auditing practices.

Impact

Pros:

  • Ensures visibility into the replication task for the source database.

  • Facilitates proactive troubleshooting and performance tracking.

  • Supports adherence to compliance and governance standards.

Cons:

  • May incur additional costs for storing logs in Amazon CloudWatch.

  • Requires appropriate configurations to manage and retain logs effectively.

Default Value

By default, logging is not enabled for DMS replication tasks. It must be explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeReplicationTasks

  • dms:ModifyReplicationTask

  • logs:PutLogEvents

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Replication Tasks.

  3. Select the replication task associated with the source database.

  4. Under Task Settings, verify if Enable CloudWatch Logs is enabled.

Using AWS CLI:

  1. Describe the replication task:

    aws dms describe-replication-tasks --filters Name=replication-task-id,Values=<task-id>

  2. Check the EnableCloudWatchLogsExports field in the output. Ensure it includes relevant log types for the source database (e.g., SOURCE_UNLOAD, SOURCE_CAPTURE).

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Replication Tasks.

  2. Select the replication task to update.

  3. Click Modify and enable CloudWatch Logs under the Task Settings section.

  4. Save the changes.

Using AWS CLI:

  1. Enable logging for the replication task:

    aws dms modify-replication-task \
--replication-task-arn <task-arn> \
--enable-cloudwatch-logs-exports SOURCE_UNLOAD,SOURCE_CAPTURE

  1. Verify the updated configuration:

    aws dms describe-replication-tasks --filters Name=replication-task-id,Values=<task-id>

Backout Plan

Using AWS Console:

  1. If enabling logging causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the replication task, and go to the Task settings section.

  3. Disable logging by clearing the CloudWatch Logs or S3 configuration.

  4. Save the changes and confirm that logging is no longer enabled.

Using AWS CLI:

  1. To disable logging, run:

    aws dms modify-replication-task --replication-task-arn <TASK_ARN> --cloudwatch-log-stream-arn "" --cloudwatch-log-group-arn ""

  2. Verify that logging has been disabled by running:

    aws dms describe-replication-tasks --replication-task-arn <TASK_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.