DMS Replication Task Target Logging Enabled
Overview
This check verifies that AWS Database Migration Service (DMS) replication tasks have target logging enabled with appropriate severity levels. Specifically, the TARGET_APPLY and TARGET_LOAD logging components should be configured with at least LOGGER_SEVERITY_DEFAULT.
Target logging captures what happens when data is loaded and applied to your target database during migration. Without this logging, you lose visibility into a critical phase of data migration.
Risk
When target logging is disabled or insufficiently configured:
- Data integrity issues go undetected: Partial loads, silent data drift, or failed apply operations may not surface until much later
- Incident response slows down: Without logs, troubleshooting target-side failures requires guesswork
- Audit trails are incomplete: Compliance frameworks often require visibility into data movement and transformation activities
Remediation Steps
Prerequisites
You need permission to modify DMS replication tasks. The task must be stopped before you can change its settings.
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dms:DescribeReplicationTasks",
"dms:ModifyReplicationTask",
"dms:StopReplicationTask",
"dms:StartReplicationTask"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the AWS DMS Console in us-east-1
- Click Database migration tasks in the left sidebar
- Select the replication task that needs logging enabled
- If the task is running, click Actions > Stop and wait for it to stop
- Click Actions > Modify
- Scroll to the Task settings section
- Under Enable CloudWatch logs, ensure the checkbox is selected
- In the Target logging severity settings, set both:
- TARGET_APPLY to
Defaultor higher - TARGET_LOAD to
Defaultor higher
- TARGET_APPLY to
- Click Save changes
- Restart the task by clicking Actions > Resume/Start
AWS CLI (optional)
First, stop the replication task if it is running:
aws dms stop-replication-task \
--replication-task-arn arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
--region us-east-1
Wait for the task to stop, then modify the task settings to enable target logging:
aws dms modify-replication-task \
--replication-task-arn arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
--replication-task-settings '{
"Logging": {
"EnableLogging": true,
"LogComponents": [
{"Id": "TARGET_APPLY", "Severity": "LOGGER_SEVERITY_DEFAULT"},
{"Id": "TARGET_LOAD", "Severity": "LOGGER_SEVERITY_DEFAULT"}
]
}
}' \
--region us-east-1
Restart the task:
aws dms start-replication-task \
--replication-task-arn arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
--start-replication-task-type resume-processing \
--region us-east-1
Replace arn:aws:dms:us-east-1:123456789012:task:EXAMPLE with your actual task ARN.
Logging severity options (from least to most verbose):
LOGGER_SEVERITY_ERROR- Only errorsLOGGER_SEVERITY_WARNING- Errors and warningsLOGGER_SEVERITY_INFO- Errors, warnings, and informational messagesLOGGER_SEVERITY_DEFAULT- Standard logging (recommended minimum)LOGGER_SEVERITY_DEBUG- Detailed debug informationLOGGER_SEVERITY_DETAILED_DEBUG- Most verbose logging
CloudFormation (optional)
Use this CloudFormation template to create or update a DMS replication task with target logging enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Replication Task with Target Logging Enabled
Parameters:
ReplicationInstanceArn:
Type: String
Description: ARN of the DMS replication instance
SourceEndpointArn:
Type: String
Description: ARN of the source endpoint
TargetEndpointArn:
Type: String
Description: ARN of the target endpoint
Resources:
DMSReplicationTask:
Type: AWS::DMS::ReplicationTask
Properties:
ReplicationTaskIdentifier: my-replication-task
MigrationType: full-load-and-cdc
ReplicationInstanceArn: !Ref ReplicationInstanceArn
SourceEndpointArn: !Ref SourceEndpointArn
TargetEndpointArn: !Ref TargetEndpointArn
TableMappings: |
{
"rules": [
{
"rule-type": "selection",
"rule-id": "1",
"rule-name": "1",
"object-locator": {
"schema-name": "%",
"table-name": "%"
},
"rule-action": "include"
}
]
}
ReplicationTaskSettings: |
{
"Logging": {
"EnableLogging": true,
"LogComponents": [
{
"Id": "TARGET_APPLY",
"Severity": "LOGGER_SEVERITY_DEFAULT"
},
{
"Id": "TARGET_LOAD",
"Severity": "LOGGER_SEVERITY_DEFAULT"
}
]
}
}
Outputs:
ReplicationTaskArn:
Description: ARN of the DMS replication task
Value: !Ref DMSReplicationTask
Deploy with:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name dms-task-with-logging \
--parameter-overrides \
ReplicationInstanceArn=arn:aws:dms:us-east-1:123456789012:rep:EXAMPLE \
SourceEndpointArn=arn:aws:dms:us-east-1:123456789012:endpoint:SOURCE \
TargetEndpointArn=arn:aws:dms:us-east-1:123456789012:endpoint:TARGET \
--region us-east-1
Terraform (optional)
Use this Terraform configuration to create a DMS replication task with target logging:
resource "aws_dms_replication_task" "example" {
replication_task_id = "my-replication-task"
migration_type = "full-load-and-cdc"
replication_instance_arn = "arn:aws:dms:us-east-1:123456789012:rep:EXAMPLE"
source_endpoint_arn = "arn:aws:dms:us-east-1:123456789012:endpoint:SOURCE"
target_endpoint_arn = "arn:aws:dms:us-east-1:123456789012:endpoint:TARGET"
table_mappings = jsonencode({
rules = [{
rule-type = "selection"
rule-id = "1"
rule-name = "1"
object-locator = {
schema-name = "%"
table-name = "%"
}
rule-action = "include"
}]
})
replication_task_settings = jsonencode({
Logging = {
EnableLogging = true
LogComponents = [
{
Id = "TARGET_APPLY"
Severity = "LOGGER_SEVERITY_DEFAULT"
},
{
Id = "TARGET_LOAD"
Severity = "LOGGER_SEVERITY_DEFAULT"
}
]
}
})
}
Replace the ARN values with your actual replication instance and endpoint ARNs.
Verification
After making changes, confirm that target logging is enabled:
- In the DMS Console, select your replication task
- Click the Task settings tab
- Verify that CloudWatch logs are enabled and
TARGET_APPLYandTARGET_LOADshow at leastDefaultseverity
CLI verification commands
Check the current task settings:
aws dms describe-replication-tasks \
--filters Name=replication-task-arn,Values=arn:aws:dms:us-east-1:123456789012:task:EXAMPLE \
--query 'ReplicationTasks[0].ReplicationTaskSettings' \
--output text \
--region us-east-1 | jq '.Logging'
Expected output should show:
{
"EnableLogging": true,
"LogComponents": [
{
"Id": "TARGET_APPLY",
"Severity": "LOGGER_SEVERITY_DEFAULT"
},
{
"Id": "TARGET_LOAD",
"Severity": "LOGGER_SEVERITY_DEFAULT"
}
]
}
You can also verify logs are appearing in CloudWatch:
aws logs describe-log-streams \
--log-group-name dms-tasks-<task-id> \
--region us-east-1
Additional Resources
Notes
- Task must be stopped: You cannot modify logging settings while a task is running. Plan for a maintenance window if the task is actively replicating data.
- Consider all logging components: While this check focuses on
TARGET_APPLYandTARGET_LOAD, you may also want to enable logging for source-side components (SOURCE_CAPTURE,SOURCE_UNLOAD) for complete visibility. - Log retention: CloudWatch log groups for DMS tasks inherit default retention settings. Consider setting an appropriate retention period based on your compliance requirements.
- Cost implications: Higher severity levels (DEBUG, DETAILED_DEBUG) generate more log data and may increase CloudWatch costs.
LOGGER_SEVERITY_DEFAULTprovides a good balance.