AWS dms documentation change
Summary
Added three new premigration assessment checks for data masking transformation rules: Digits Randomize, Digits Mask, and Hashing Mask
Security assessment
The changes introduce documentation for data masking transformation rules which are security features designed to protect sensitive data. However, there's no evidence this addresses an existing security vulnerability - rather it documents available security controls.
Diff
diff --git a/dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md b/dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md index 41b4f52be..ab9a26ebf 100644 --- a/dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md +++ b/dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md @@ -5 +5 @@ -Validate if secondary indexes are enabled on the target database during full-load Validate that limited LOB mode only is used when BatchApplyEnabled is set to trueValidate if target database has any triggers enabled on tables in the scope of the taskCheck if tables in task scope contain computed columnsCheck if tables in task scope have column store indexesCheck if memory optimized tables are a part of the task scopeCheck if temporal tables are a part of the task scopeCheck if delayed durability is enabled at the database levelCheck if accelerated data recovery is enabled at the database levelCheck if table mapping has more than 10K tables with primary keysCheck if the source database has tables or schema names with special characters.Check if the source database has column names with masked dataCheck if the source database has encrypted backupsCheck if the source database has backups stored at a URL or on Windows Azure. Check if the source database has backups on multiple disksCheck if the source database has at least one full backupCheck if the source database has sparse columns and columnar structure compression.Check if the source database instance has server level auditing for SQL Server 2008 or SQL Server 2008 R2Check if the source database has geometry columns for full LOB modeCheck if the source database has columns with the Identity property.Check if the DMS user has FULL LOAD permissionsCheck if the DMS user has FULL LOAD and CDC or CDC only permissionsCheck whether the ignoreMsReplicationEnablement ECA is set when using MS-CDC with on-premises or EC2 databasesCheck if the DMS user has the VIEW DEFINITION permission.Check if the DMS user has the VIEW DATABASE STATE permission on the MASTER database for users without the Sysadmin role.Check if the DMS user has the VIEW SERVER STATE permission.Validate if text repl size parameter is not unlimitedValidate if Primary Key or Unique Index exist on target for Batch ApplyValidate if both Primary Key and Unique index exist on target when batch apply enabledValidate if table has primary key or unique index when DMS validation is enabledValidate if AWS DMS user has necessary privileges to the targetRecommendation on using MaxFullLoadSubTasks setting +Validate if secondary indexes are enabled on the target database during full-load Validate that limited LOB mode only is used when BatchApplyEnabled is set to trueValidate if target database has any triggers enabled on tables in the scope of the taskCheck if tables in task scope contain computed columnsCheck if tables in task scope have column store indexesCheck if memory optimized tables are a part of the task scopeCheck if temporal tables are a part of the task scopeCheck if delayed durability is enabled at the database levelCheck if accelerated data recovery is enabled at the database levelCheck if table mapping has more than 10K tables with primary keysCheck if the source database has tables or schema names with special characters.Check if the source database has column names with masked dataCheck if the source database has encrypted backupsCheck if the source database has backups stored at a URL or on Windows Azure. Check if the source database has backups on multiple disksCheck if the source database has at least one full backupCheck if the source database has sparse columns and columnar structure compression.Check if the source database instance has server level auditing for SQL Server 2008 or SQL Server 2008 R2Check if the source database has geometry columns for full LOB modeCheck if the source database has columns with the Identity property.Check if the DMS user has FULL LOAD permissionsCheck if the DMS user has FULL LOAD and CDC or CDC only permissionsCheck whether the ignoreMsReplicationEnablement ECA is set when using MS-CDC with on-premises or EC2 databasesCheck if the DMS user has the VIEW DEFINITION permission.Check if the DMS user has the VIEW DATABASE STATE permission on the MASTER database for users without the Sysadmin role.Check if the DMS user has the VIEW SERVER STATE permission.Validate if text repl size parameter is not unlimitedValidate if Primary Key or Unique Index exist on target for Batch ApplyValidate if both Primary Key and Unique index exist on target when batch apply enabledValidate if table has primary key or unique index when DMS validation is enabledValidate if AWS DMS user has necessary privileges to the targetRecommendation on using MaxFullLoadSubTasks settingCheck Transformation Rule for Digits RandomizeCheck Transformation Rule for Digits maskCheck Transformation Rule for Hashing mask @@ -76,0 +77,6 @@ This section describes individual premigration assessments for migration tasks t + * Check Transformation Rule for Digits Randomize + + * Check Transformation Rule for Digits mask + + * Check Transformation Rule for Hashing mask + @@ -350,0 +357,18 @@ For more information, see [Full-load task settings](./CHAP_Tasks.CustomizingTask +## Check Transformation Rule for Digits Randomize + +**API key** : `sqlserver-datamasking-digits-randomize` + +This assessment validates whether columns used in table mappings are compatible with the Digits Randomize transformation rule. Additionally, the assessment checks if any columns selected for transformation are part of primary keys, unique constraints, or foreign keys, as applying digits randomize transformations does not guarantee any uniqueness. + +## Check Transformation Rule for Digits mask + +**API key** : `sqlserver-datamasking-digits-mask` + +This assessment validates whether any columns used in the table mapping are not supported by the Digits Mask transformation rule. Additionally, the assessment checks if any columns selected for transformation are part of primary keys, unique constraints, or foreign keys, as applying Digits Mask transformations to such columns could cause DMS task failures since uniqueness cannot be guaranteed. + +## Check Transformation Rule for Hashing mask + +**API key** : `sqlserver-datamasking-hash-mask` + +This assessment validates whether any of the columns used in the table mapping are not supported by the Hashing Mask transformation rule. It also checks if the length of the source column exceeds 64 characters. Ideally, the target column length should be greater than 64 characters to support hash masking. Additionally, the assessment checks if any columns selected for transformation are part of primary keys, unique constraints, or foreign keys, as applying digits randomize transformations does not guarantee any uniqueness. +