π AWS Data Sync Task logging is not enabled π’
- Contextual name: π Task logging is not enabled π’
- ID:
/ce/ca/aws/data-sync/task-logging - Located in: π AWS Data Sync
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- AWS Security Hub
- [[DataSync.1] DataSync tasks should have logging enabled]([DataSync.1] DataSync tasks should have logging enabled (https://docs.aws.amazon.com/securityhub/latest/userguide/datasync-controls.html#datasync-1)]
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that AWS DataSync Tasks are configured to send transfer logs to Amazon CloudWatch Logs.
Rationaleβ
Enabling logging for DataSync Tasks provides visibility into data transfer operations.
Impactβ
Enabling logging will may incur charges for Amazon CloudWatch Logs based on the amount of data ingested and stored.
Auditβ
This policy marks an AWS Data Sync Task as
INCOMPLIANTif theCloud Watch Log Group ARNfield is empty or the associated Cloud Watch Log Group does not exist in the CMDB.
Remediationβ
Remediationβ
From Command Lineβ
Prerequisitesβ
If you need to create a new CloudWatch Log Group, use the following command:
aws logs create-log-group --log-group-name {{log-group-name}}Ensure that DataSync has permission to upload logs to the CloudWatch log group.
Associate the Log Group with the DataSync Taskβ
aws datasync update-task \
--task-arn {{task-arn}} \
--cloud-watch-log-group-arn {{log-group-arn}}Note: For Enhanced mode tasks, you must use
/aws/datasyncas your log group name. For example:arn:aws:logs:us-east-1:111222333444:log-group:/aws/datasync:*
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [DataSync.1] DataSync tasks should have logging enabled | 1 | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 59 |