DMS Replication Task Source Logging Enabled

Overview

This check verifies that AWS Database Migration Service (DMS) replication tasks have logging enabled with the SOURCE_CAPTURE and SOURCE_UNLOAD components configured to at least LOGGER_SEVERITY_DEFAULT severity level.

These two components are critical for monitoring data migration:

• SOURCE_CAPTURE: Logs Change Data Capture (CDC) activity from the source database
• SOURCE_UNLOAD: Logs full-load operations when extracting data from the source

Risk

Without adequate source-level logging, your team loses visibility into what is happening during data migration. This creates several problems:

• Silent data drift: Errors during CDC or full-load operations may go undetected, causing source and target databases to fall out of sync
• Difficult troubleshooting: When migrations fail or stall, you have no logs to diagnose the root cause
• Audit gaps: Compliance frameworks require evidence of data movement; missing logs weaken your audit trail
• Recovery failures: Without logs, you cannot reconstruct what happened during an incident

Remediation Steps

Prerequisites

You need permission to modify DMS replication tasks. The task must be stopped before you can change its settings.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dms:ModifyReplicationTask",
        "dms:DescribeReplicationTasks",
        "dms:StopReplicationTask",
        "dms:StartReplicationTask"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the AWS DMS Console at https://console.aws.amazon.com/dms/
2. In the left navigation, click Database migration tasks
3. Select the replication task you want to modify
4. If the task is running, click Actions > Stop and wait for it to stop
5. Click Actions > Modify
6. Scroll down and click Modify task logging
7. Toggle Enable CloudWatch logs to On
8. Find SOURCE_CAPTURE in the component list and set its severity to Default (or higher)
9. Find SOURCE_UNLOAD in the component list and set its severity to Default (or higher)
10. Click Save
11. Click Modify task to apply changes
12. Restart the task by clicking Actions > Resume/Restart

AWS CLI

First, stop the replication task if it is running:

aws dms stop-replication-task \
  --replication-task-arn arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
  --region us-east-1

Wait for the task to stop (status becomes stopped):

aws dms describe-replication-tasks \
  --filters Name=replication-task-arn,Values=arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
  --query "ReplicationTasks[0].Status" \
  --region us-east-1

Modify the task to enable source logging:

aws dms modify-replication-task \
  --replication-task-arn arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
  --replication-task-settings '{
    "Logging": {
      "EnableLogging": true,
      "LogComponents": [
        {"Id": "SOURCE_CAPTURE", "Severity": "LOGGER_SEVERITY_DEFAULT"},
        {"Id": "SOURCE_UNLOAD", "Severity": "LOGGER_SEVERITY_DEFAULT"}
      ]
    }
  }' \
  --region us-east-1

Restart the task:

aws dms start-replication-task \
  --replication-task-arn arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
  --start-replication-task-type resume-processing \
  --region us-east-1

Replace arn:aws:dms:us-east-1:123456789012:task:EXAMPLE with your actual task ARN.

CloudFormation

AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Replication Task with Source Logging Enabled

Parameters:
  ReplicationInstanceArn:
    Type: String
    Description: ARN of the DMS replication instance
  SourceEndpointArn:
    Type: String
    Description: ARN of the source endpoint
  TargetEndpointArn:
    Type: String
    Description: ARN of the target endpoint
  TableMappings:
    Type: String
    Description: JSON table mappings for the replication task
    Default: '{"rules":[{"rule-type":"selection","rule-id":"1","rule-name":"1","object-locator":{"schema-name":"%","table-name":"%"},"rule-action":"include"}]}'

Resources:
  DMSReplicationTask:
    Type: AWS::DMS::ReplicationTask
    Properties:
      ReplicationInstanceArn: !Ref ReplicationInstanceArn
      SourceEndpointArn: !Ref SourceEndpointArn
      TargetEndpointArn: !Ref TargetEndpointArn
      MigrationType: full-load-and-cdc
      TableMappings: !Ref TableMappings
      ReplicationTaskSettings: |
        {
          "Logging": {
            "EnableLogging": true,
            "LogComponents": [
              {"Id": "SOURCE_CAPTURE", "Severity": "LOGGER_SEVERITY_DEFAULT"},
              {"Id": "SOURCE_UNLOAD", "Severity": "LOGGER_SEVERITY_DEFAULT"}
            ]
          }
        }

Terraform

resource "aws_dms_replication_task" "example" {
  replication_task_id      = "example-task"
  replication_instance_arn = var.replication_instance_arn
  source_endpoint_arn      = var.source_endpoint_arn
  target_endpoint_arn      = var.target_endpoint_arn
  migration_type           = "full-load-and-cdc"

  table_mappings = jsonencode({
    rules = [{
      rule-type      = "selection"
      rule-id        = "1"
      rule-name      = "1"
      object-locator = {
        schema-name = "%"
        table-name  = "%"
      }
      rule-action = "include"
    }]
  })

  replication_task_settings = jsonencode({
    Logging = {
      EnableLogging = true
      LogComponents = [
        { Id = "SOURCE_CAPTURE", Severity = "LOGGER_SEVERITY_DEFAULT" },
        { Id = "SOURCE_UNLOAD", Severity = "LOGGER_SEVERITY_DEFAULT" }
      ]
    }
  })
}

Verification

After modifying the task, confirm that logging is properly configured:

1. In the DMS Console, select your replication task
2. Click the Logging tab
3. Verify that CloudWatch logging is enabled
4. Confirm SOURCE_CAPTURE and SOURCE_UNLOAD show severity of Default or higher

CLI verification

aws dms describe-replication-tasks \
  --filters Name=replication-task-arn,Values=arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
  --query "ReplicationTasks[0].ReplicationTaskSettings" \
  --output text \
  --region us-east-1 | jq '.Logging'

Expected output should show:

{
  "EnableLogging": true,
  "LogComponents": [
    {"Id": "SOURCE_CAPTURE", "Severity": "LOGGER_SEVERITY_DEFAULT"},
    {"Id": "SOURCE_UNLOAD", "Severity": "LOGGER_SEVERITY_DEFAULT"}
  ]
}

Additional Resources

• AWS DMS Task Logging Documentation
• CloudWatch Logs for DMS Tasks
• AWS Security Hub DMS Controls

Notes

• Task must be stopped: You cannot modify logging settings while a task is running. Plan for a brief maintenance window.
• Avoid DEBUG in production: The LOGGER_SEVERITY_DEBUG and LOGGER_SEVERITY_DETAILED_DEBUG levels generate high log volumes. Use them only during troubleshooting, then revert to LOGGER_SEVERITY_DEFAULT.
• Log retention: DMS logs are stored in CloudWatch Logs. Configure appropriate retention periods to meet your audit requirements and control storage costs.
• Cost considerations: Higher severity levels generate more logs, which increases CloudWatch Logs costs. LOGGER_SEVERITY_DEFAULT provides a good balance of visibility and cost.