Skip to content
Ask AI about this
Help improve this page

DataSync tasks should have logging enabled

DataSync tasks move data between storage systems, often across network boundaries or into S3. Without logging, you have no visibility into transfer failures, skipped files, or verification errors. A silent transfer failure can lead to data loss that goes unnoticed for days.

Logging also gives you the evidence trail needed to confirm that data landed where it was supposed to, when it was supposed to. If a DataSync task copies sensitive records between on-premises NFS and S3, the CloudWatch logs are your only record of what actually happened during the transfer.

Retrofit consideration

Existing tasks need an update to add the CloudWatch Log Group ARN. The task itself does not need to be recreated, but you must also confirm the log group exists and that DataSync has permission to write to it via a resource policy.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_datasync_task.

resource "aws_datasync_task" "this" {
  destination_location_arn = "arn:aws:datasync:us-east-1:123456789012:location/loc-12345678901234567"

  options {
    gid               = "NONE"
    log_level         = "BASIC"
    posix_permissions = "NONE"
    uid               = "NONE"
  }

  source_location_arn = "arn:aws:datasync:us-east-1:123456789012:location/loc-12345678901234567"

  cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:example-log-group"
}

What this control checks

In Terraform, this control validates the aws_datasync_task resource. The cloudwatch_log_group_arn argument must be set to a valid aws_cloudwatch_log_group ARN. If cloudwatch_log_group_arn is omitted or empty, the control fails.

A passing configuration requires three things:

  1. An aws_cloudwatch_log_group resource (e.g., /aws/datasync).
  2. The aws_datasync_task resource with cloudwatch_log_group_arn set to that log group's ARN.
  3. An aws_cloudwatch_log_resource_policy granting the DataSync service principal logs:PutLogEvents and logs:CreateLogStream on that log group.

The log_level option within the task_report_config block is separate from this control. The control checks specifically for the presence of cloudwatch_log_group_arn on the task itself.

Common pitfalls

  • Missing CloudWatch Logs resource policy

    DataSync will accept the cloudwatch_log_group_arn value and create the task without error, but if the aws_cloudwatch_log_resource_policy granting logs:PutLogEvents and logs:CreateLogStream to datasync.amazonaws.com is missing, nothing gets written. The task looks configured; the log group stays empty.

  • Log group ARN format mismatch

    Use the ARN directly from aws_cloudwatch_log_group.arn, not a constructed string with a trailing :*. DataSync expects the log group ARN without that suffix. If the format is wrong, task creation may succeed but logging silently fails. Verify the value passed to cloudwatch_log_group_arn ends with the log group name, not :*.

  • Cross-region log group references

    The CloudWatch Log Group must be in the same region as the DataSync task. A cross-region ARN won't be rejected at plan time, but the task will fail to deliver logs, with no clear error surfaced during apply.

  • Log level defaults to BASIC

    With cloudwatch_log_group_arn set, this control passes. But if log_level in the options block is explicitly set to OFF, no logs are written. The control checks for the association, not the effective log level, so you can pass the check and still get no data. Use BASIC or TRANSFER depending on how much detail you need.

Audit evidence

AWS Config rule evaluation results showing all DataSync tasks as COMPLIANT, or equivalent output from a cloud security posture management tool. Supporting evidence includes the CloudWatch Log Group with actual log entries from recent DataSync executions, confirming that logging is operational and not merely configured. The DescribeTask API response for each task should show a non-empty CloudWatchLogGroupArn field.

CloudTrail events for CreateTask and UpdateTask calls establish when logging was enabled and by whom, which matters if the control was previously failing and remediation needs a timeline.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: datasync_task_logging_enabled

  • AWS Config Managed Rule: DATASYNC_TASK_LOGGING_ENABLED

  • Powerpipe Control: aws_compliance.control.datasync_task_logging_enabled

  • Prowler Check: datasync_task_logging_enabled

  • AWS Security Hub Control: DataSync.1

Last reviewed: 2026-03-09