Skip to main content

DataSync Tasks Should Have Logging Enabled

Overview

This control checks whether your AWS DataSync tasks have CloudWatch Logs configured. DataSync is a data transfer service that moves files between on-premises storage and AWS. Without logging, you have no visibility into what happened during a transfer.

The check fails if a DataSync task does not have a CloudWatchLogGroupArn property defined.

Risk

When logging is disabled on DataSync tasks:

  • Troubleshooting becomes difficult - You cannot see why transfers failed or partially completed
  • Data integrity issues go unnoticed - Unexpected deletions or transfer anomalies are invisible
  • Security incidents may be missed - Data exfiltration attempts leave no audit trail
  • Compliance requirements are not met - Many frameworks require logging of data movement operations

Severity: High

Remediation Steps

Prerequisites

You need permission to modify DataSync tasks and create CloudWatch Log Groups. If using the console, ensure you have access to both the DataSync and CloudWatch services.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "datasync:UpdateTask",
        "datasync:DescribeTask",
        "logs:CreateLogGroup",
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

  1. Open the AWS DataSync console
  2. In the left navigation, click Tasks
  3. Select the task that needs logging enabled
  4. Click Edit
  5. Scroll to the Logging section
  6. For Log level, choose one of:
    • Basic - Logs transfer verification events (minimal)
    • Transfer - Logs all file-level transfer details (recommended)
  7. For CloudWatch Log group, either:
    • Select an existing log group, or
    • Click Create a new log group and enter a name like /aws/datasync/my-task-name
  8. Click Save
AWS CLI

Step 1: Create a CloudWatch Log Group (if needed)

aws logs create-log-group \
  --log-group-name /aws/datasync/my-task-name \
  --region us-east-1

Step 2: Get the Log Group ARN

aws logs describe-log-groups \
  --log-group-name-prefix /aws/datasync/my-task-name \
  --query 'logGroups[0].arn' \
  --output text \
  --region us-east-1

Step 3: Update the DataSync task

Replace <task-arn> with your task ARN and <log-group-arn> with the ARN from Step 2:

aws datasync update-task \
  --task-arn <task-arn> \
  --cloud-watch-log-group-arn <log-group-arn> \
  --region us-east-1

Example with log level option:

aws datasync update-task \
  --task-arn arn:aws:datasync:us-east-1:123456789012:task/task-01234567890abcdef \
  --cloud-watch-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:/aws/datasync/my-task-name \
  --options '{"LogLevel":"TRANSFER"}' \
  --region us-east-1
CloudFormation

This template creates a DataSync task with logging enabled, including the required CloudWatch Log Group:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS DataSync Task with CloudWatch Logging Enabled

Parameters:
  SourceLocationArn:
    Type: String
    Description: ARN of the source location for the DataSync task
  DestinationLocationArn:
    Type: String
    Description: ARN of the destination location for the DataSync task
  TaskName:
    Type: String
    Description: Name of the DataSync task
    Default: my-datasync-task

Resources:
  DataSyncLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/datasync/${TaskName}
      RetentionInDays: 30

  DataSyncTask:
    Type: AWS::DataSync::Task
    Properties:
      Name: !Ref TaskName
      SourceLocationArn: !Ref SourceLocationArn
      DestinationLocationArn: !Ref DestinationLocationArn
      CloudWatchLogGroupArn: !GetAtt DataSyncLogGroup.Arn
      Options:
        LogLevel: TRANSFER

Outputs:
  TaskArn:
    Description: ARN of the DataSync task
    Value: !Ref DataSyncTask
  LogGroupArn:
    Description: ARN of the CloudWatch Log Group
    Value: !GetAtt DataSyncLogGroup.Arn

Deploy the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name datasync-task-with-logging \
  --parameter-overrides \
    SourceLocationArn=arn:aws:datasync:us-east-1:123456789012:location/loc-01234567890abcdef \
    DestinationLocationArn=arn:aws:datasync:us-east-1:123456789012:location/loc-fedcba09876543210 \
    TaskName=my-datasync-task \
  --region us-east-1
Terraform
terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "source_location_arn" {
  description = "ARN of the source location for the DataSync task"
  type        = string
}

variable "destination_location_arn" {
  description = "ARN of the destination location for the DataSync task"
  type        = string
}

variable "task_name" {
  description = "Name of the DataSync task"
  type        = string
  default     = "my-datasync-task"
}

variable "log_retention_days" {
  description = "Number of days to retain logs in CloudWatch"
  type        = number
  default     = 30
}

# CloudWatch Log Group for DataSync task logging
resource "aws_cloudwatch_log_group" "datasync" {
  name              = "/aws/datasync/${var.task_name}"
  retention_in_days = var.log_retention_days
}

# DataSync task with logging enabled
resource "aws_datasync_task" "main" {
  name                     = var.task_name
  source_location_arn      = var.source_location_arn
  destination_location_arn = var.destination_location_arn
  cloudwatch_log_group_arn = aws_cloudwatch_log_group.datasync.arn

  options {
    log_level = "TRANSFER"
  }
}

output "task_arn" {
  description = "ARN of the DataSync task"
  value       = aws_datasync_task.main.arn
}

output "log_group_arn" {
  description = "ARN of the CloudWatch Log Group"
  value       = aws_cloudwatch_log_group.datasync.arn
}

Apply the configuration:

terraform init
terraform apply \
  -var="source_location_arn=arn:aws:datasync:us-east-1:123456789012:location/loc-01234567890abcdef" \
  -var="destination_location_arn=arn:aws:datasync:us-east-1:123456789012:location/loc-fedcba09876543210"

Verification

After enabling logging, verify the configuration:

  1. Go to the DataSync console
  2. Select your task and click on it to view details
  3. In the Logging section, confirm a CloudWatch Log group is shown
  4. Run the task (or wait for a scheduled run) and check the log group for entries
Verify with AWS CLI
# Check if the task has logging configured
aws datasync describe-task \
  --task-arn <task-arn> \
  --query 'CloudWatchLogGroupArn' \
  --region us-east-1

If logging is enabled, this returns the log group ARN. If it returns null, logging is not configured.

Re-run the Prowler check:

prowler aws --check datasync_task_logging_enabled --region us-east-1

Additional Resources

Notes

  • Log levels: Choose BASIC for minimal logging (verification events only) or TRANSFER for detailed file-level logs. TRANSFER is recommended for troubleshooting but generates more log data.
  • Log retention: Set an appropriate retention period for your log group to manage storage costs. The examples use 30 days.
  • Existing tasks: When you update a task to add logging, only future executions will be logged. Past executions cannot be retroactively logged.
  • Compliance frameworks: This control is relevant to C5, ISO27001, KISA-ISMS-P, NIS2, and SOC2.