Profile Applicability:

  • Level 1

Description:

AWS DataSync is a service that automates the transfer of large amounts of data between on-premises storage and AWS services like Amazon S3, Amazon EFS, and Amazon FSx. Enabling logging for DataSync tasks allows you to capture detailed information about each data transfer, including errors, transfer success rates, and task details. This SOP ensures that logging is enabled for all AWS DataSync tasks to maintain visibility and support troubleshooting, auditing, and compliance efforts.

Rationale:

  • Security: Enabling logging for DataSync tasks provides visibility into data transfers, which is important for identifying and investigating unauthorized or unexpected access or changes to data.

  • Auditability: Logs provide an audit trail that can be used to verify compliance with data protection regulations and security requirements.

  • Troubleshooting: Logs are essential for identifying and diagnosing issues with data transfers, such as failures or performance bottlenecks.

  • Best Practices: AWS recommends enabling logging for DataSync tasks to ensure proper monitoring, troubleshooting, and compliance with security requirements.

Impact:

Pros:

  • Improved Visibility: Enables visibility into all data transfer operations, helping detect issues early.

  • Auditability: Logs are useful for auditing and meeting compliance standards (e.g., GDPR, HIPAA).

  • Enhanced Troubleshooting: Allows for easier identification and resolution of transfer failures or issues.

Cons:

  • Increased Storage Costs: Logs generate data that needs to be stored, potentially increasing Amazon CloudWatch Logs or S3 storage costs, depending on the retention period.

  • Operational Overhead: Managing and reviewing logs may require additional administrative effort, especially for large-scale data transfer tasks.

Default Value:

By default, AWS DataSync tasks do not have logging enabled. Logging must be explicitly configured during the task creation process to capture detailed logs.

Pre-requisite:

  • AWS IAM Permissions:

    • datasync:CreateTask

    • datasync:DescribeTask

    • cloudwatch:PutLogEvents

    • cloudwatch:CreateLogGroup

    • cloudwatch:CreateLogStream

  • AWS CLI installed and configured.

  • Amazon CloudWatch Logs or S3 bucket configured to store logs.

  • DataSync Task already created or in the process of being created.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS DataSync under Services.

  3. In the DataSync Console, select Tasks from the left panel.

  4. Choose the DataSync Task you want to check.

  5. In the Task Settings section, verify that logging is enabled. If not, proceed with the Implementation Steps to enable logging.

Using AWS CLI:

  1. To check if logging is enabled for a DataSync task, run the following command:

    aws datasync describe-task --task-arn <task-arn> --query 'Task.LogLevel'

  2. If the LogLevel is set to NONE, logging is not enabled. To enable logging, follow the steps below.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS DataSync.

  2. In the DataSync Console, select Tasks from the left panel and choose the task to edit.

  3. Click on Create Task or Edit Task.

  4. Under Logging settings, ensure that the Log Level is set to one of the following:

    • Basic: Logs basic information about task progress.

    • Detailed: Logs detailed information, including errors and performance data.

  5. Configure a CloudWatch Log Group or an S3 bucket to store the logs.

  6. Save the changes to enable logging for the task.

Using AWS CLI:

  1. To create a DataSync task with logging enabled, run:

    aws datasync create-task --source-location-arn <source-location-arn> --destination-location-arn <destination-location-arn> --name <task-name> --options "LogLevel=Detailed" --cloud-watch-log-group <log-group-arn>

  2. To enable logging for an existing task, use:

    aws datasync update-task --task-arn <task-arn> --cloud-watch-log-group <log-group-arn> --log-level Detailed

  3. Verify that logging is enabled by running:

    aws datasync describe-task --task-arn <task-arn> --query 'Task.LogLevel'

Backout Plan:

Using AWS Console:

  1. If enabling logging causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DataSync and select the task with the problematic logging configuration.

  3. Click Edit and remove the CloudWatch Log Group from the Logging section.

  4. Save the changes to disable logging for the task.

Using AWS CLI:

  1. To disable logging for a task, run the following command:

    aws datasync update-task --task-arn <TASK_ARN> --cloud-watch-log-group "" --region <REGION>

  2. Verify that logging has been disabled by describing the task:

    aws datasync describe-task --task-arn <TASK_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.