Profile Applicability

  • Level 2

Description

AWS Database Migration Service (DMS) replication tasks can generate logs that provide valuable insights into task performance, errors, and debugging information. Enabling logging ensures that you can monitor and troubleshoot replication tasks effectively, improving reliability and compliance with operational best practices.

Rationale

  • Enhanced Monitoring: Provides detailed information about task execution and potential issues.

  • Improved Troubleshooting: Simplifies debugging by capturing task logs.

  • Compliance: Aligns with best practices for operational monitoring and auditing.

Impact

Pros:

  • Enables proactive monitoring and issue resolution.

  • Improves visibility into replication task performance.

  • Supports compliance with operational and security standards.

Cons:

  • May incur additional costs for storing logs in Amazon CloudWatch.

  • Requires proper configuration to avoid excessive log generation.

Default Value

By default, logging is not enabled for DMS replication tasks. It must be explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeReplicationTasks

  • dms:ModifyReplicationTask

  • logs:PutLogEvents

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Replication Tasks.

  3. Select the replication task to check its configuration.

  4. Under the Task Settings section, verify if Enable CloudWatch Logs is selected.

Using AWS CLI:

  1. Describe the replication task:

    aws dms describe-replication-tasks --filters Name=replication-task-id,Values=<task-id>

  2. Check the EnableCloudWatchLogsExports field in the output. Ensure it is set to true.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Replication Tasks.

  2. Select the replication task to update.

  3. Click Modify and enable CloudWatch Logs under the Task Settings section.

  4. Save the changes.

Using AWS CLI:

  1. Enable logging for the replication task:

    aws dms modify-replication-task \
--replication-task-arn <task-arn> \
--enable-cloudwatch-logs-exports

  1. Verify the updated configuration:

    aws dms describe-replication-tasks --filters Name=replication-task-id,Values=<task-id>

Backout Plan

Using AWS Console:

  1. If enabling logging causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the replication task, and go to the Modify settings.

  3. Remove or disable the logging configuration by clearing the CloudWatch Logs or S3 configuration.

  4. Save the changes and verify that logging is no longer enabled.

Using AWS CLI:

  1. To disable logging for a replication task, run the following command:

    aws dms modify-replication-task --replication-task-arn <TASK_ARN> --cloudwatch-log-stream-arn "" --cloudwatch-log-group-arn ""

  2. Verify that logging has been disabled by retrieving the task details:

    aws dms describe-replication-tasks --replication-task-arn <TASK_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.