AWS dms medium security documentation change
Summary
Added validation for EXCLUSIVE_AUTOMATIC_TRUNCATION policy permissions
Security assessment
Explicitly verifies database user has required SELECT permissions on system objects (dbo.syscategories/dbo.sysjobs) to enforce principle of least privilege and prevent privilege escalation risks
Diff
diff --git a/dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md b/dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md index 4116ba84c..61439f9dd 100644 --- a//dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md +++ b//dms/latest/userguide/CHAP_Tasks.AssessmentReport.SqlServer.md @@ -5 +5 @@ -Validate if secondary indexes are enabled on the target database during full-loadValidate that limited LOB mode only is used when BatchApplyEnabled is set to trueValidate if target database has any triggers enabled on tables in the scope of the taskCheck if tables in task scope contain computed columnsCheck if tables in task scope have column store indexesCheck if memory optimized tables are a part of the task scopeCheck if temporal tables are a part of the task scopeCheck if delayed durability is enabled at the database levelCheck if accelerated data recovery is enabled at the database levelCheck if table mapping has more than 10K tables with primary keysCheck if the source database has tables or schema names with special characters.Check if the source database has column names with masked dataCheck if the source database has encrypted backupsCheck if the source database has backups stored at a URL or on Windows Azure.Check if the source database has backups on multiple disksCheck if the source database has at least one full backupCheck if the source database has sparse columns and columnar structure compression.Check if the source database instance has server level auditing for SQL Server 2008 or SQL Server 2008 R2Check if the source database has geometry columns for full LOB modeCheck if the source database has columns with the Identity property.Check if the DMS user has FULL LOAD permissionsCheck if the DMS user has FULL LOAD and CDC or CDC only permissionsCheck whether MS-Replication is enabled for CDC on on-premises or EC2 databases.Check if the DMS user has the VIEW DEFINITION permission.Check if the DMS user has the VIEW DATABASE STATE permission on the MASTER database for users without the Sysadmin role.Check if the DMS user has the VIEW SERVER STATE permission.Validate if text repl size parameter is not unlimitedValidate if Primary Key or Unique Index exist on target for Batch ApplyValidate if both Primary Key and Unique index exist on target when batch apply enabledValidate if table has primary key or unique index when DMS validation is enabledValidate if AWS DMS user has necessary privileges to the targetRecommendation on using MaxFullLoadSubTasks settingCheck Transformation Rule for Digits RandomizeCheck Transformation Rule for Digits maskCheck Transformation Rule for Hashing maskVerify that Data Validation task settings and Data Masking Digit randomization are not enabled simultaneouslyVerify that Data Validation task settings and Data Masking Hashing mask are not enabled simultaneouslyVerify that Data Validation task settings and Data Masking Digit mask are not enabled simultaneouslyValidate that at least one selected object exists in the source databaseValidate that secondary constraints and indexes (non-primary) are present in the source database +Validate if secondary indexes are enabled on the target database during full-loadValidate that limited LOB mode only is used when BatchApplyEnabled is set to trueValidate if target database has any triggers enabled on tables in the scope of the taskCheck if tables in task scope contain computed columnsCheck if tables in task scope have column store indexesCheck if memory optimized tables are a part of the task scopeCheck if temporal tables are a part of the task scopeCheck if delayed durability is enabled at the database levelCheck if accelerated data recovery is enabled at the database levelCheck if table mapping has more than 10K tables with primary keysCheck if the source database has tables or schema names with special characters.Check if the source database has column names with masked dataCheck if the source database has encrypted backupsCheck if the source database has backups stored at a URL or on Windows Azure.Check if the source database has backups on multiple disksCheck if the source database has at least one full backupCheck if the source database has sparse columns and columnar structure compression.Check if the source database instance has server level auditing for SQL Server 2008 or SQL Server 2008 R2Check if the source database has geometry columns for full LOB modeCheck if the source database has columns with the Identity property.Check if the DMS user has FULL LOAD permissionsCheck if the DMS user has FULL LOAD and CDC or CDC only permissionsCheck whether MS-Replication is enabled for CDC on on-premises or EC2 databases.Check if the DMS user has the VIEW DEFINITION permission.Check if the DMS user has the VIEW DATABASE STATE permission on the MASTER database for users without the Sysadmin role.Check if the DMS user has the VIEW SERVER STATE permission.Validate if text repl size parameter is not unlimitedValidate if Primary Key or Unique Index exist on target for Batch ApplyValidate if both Primary Key and Unique index exist on target when batch apply enabledValidate if table has primary key or unique index when DMS validation is enabledValidate if AWS DMS user has necessary privileges to the targetRecommendation on using MaxFullLoadSubTasks settingCheck Transformation Rule for Digits RandomizeCheck Transformation Rule for Digits maskCheck Transformation Rule for Hashing maskVerify that Data Validation task settings and Data Masking Digit randomization are not enabled simultaneouslyVerify that Data Validation task settings and Data Masking Hashing mask are not enabled simultaneouslyVerify that Data Validation task settings and Data Masking Digit mask are not enabled simultaneouslyValidate that at least one selected object exists in the source databaseValidate that secondary constraints and indexes (non-primary) are present in the source databaseValidate that target endpoint is not a read replicaValidate backup chainCheck database user permissions for applying EXCLUSIVE_AUTOMATIC_TRUNCATION safeguard policyValidate that secondary node connection and required safeguard attributes for AWS DMS source endpointValidate that endpoint has all required extra connection attributes (ECAs) when AWS DMS is connected to secondary node @@ -92,0 +93,10 @@ This section describes individual premigration assessments for migration tasks t + * Validate that target endpoint is not a read replica + + * Validate backup chain + + * Check database user permissions for applying EXCLUSIVE_AUTOMATIC_TRUNCATION safeguard policy + + * Validate that secondary node connection and required safeguard attributes for AWS DMS source endpoint + + * Validate that endpoint has all required extra connection attributes (ECAs) when AWS DMS is connected to secondary node + @@ -414,0 +425,36 @@ This premigration assessment verifies that secondary constraints and indexes (fo +## Validate that target endpoint is not a read replica + +**API key** : `all-check-target-read-replica` + +This premigration assessment verifies that the target endpoint is not configured as a read replica. AWS DMS requires write access to the target database and cannot replicate to read-only replicas. + +## Validate backup chain + +**API key** : `sqlserver-check-for-backup-broken-chain` + +This premigration assessment verifies that the source database backup chain is not broken. A broken backup chain can prevent AWS DMS from accessing transaction logs required for CDC replication. + +## Check database user permissions for applying `EXCLUSIVE_AUTOMATIC_TRUNCATION` safeguard policy + +**API key** : `sqlserver-safeguard-permissions` + +This premigration assessment verifies whether the database user has the required permissions to use the `EXCLUSIVE_AUTOMATIC_TRUNCATION` safeguard policy. The user must grant SELECT permissions on the `dbo.syscategories` and `dbo.sysjobs` system objects to the dmsuser. + +For more information, see [Endpoint settings when using SQL Server as a source for AWS DMS](./CHAP_Source.SQLServer.html#CHAP_Source.SQLServer.ConnectionAttrib). + +## Validate that secondary node connection and required safeguard attributes for AWS DMS source endpoint + +**API key** : `sqlserver-check-sec-node-sg-policy` + +This premigration assessment verifies that the source endpoint has the required extra connection attributes (ECAs) configured when connecting to a secondary node with safeguards enabled. + +For more information, see [Endpoint settings when using SQL Server as a source for AWS DMS](./CHAP_Source.SQLServer.html#CHAP_Source.SQLServer.ConnectionAttrib). + +## Validate that endpoint has all required extra connection attributes (ECAs) when AWS DMS is connected to secondary node + +**API key** : `sqlserver-check-sec-node-without-eca` + +This premigration assessment verifies that all required extra connection attributes (ECAs) are configured when the source endpoint connects to a secondary node + +For more information, see [Working with self-managed SQL Server AlwaysOn availability groups](./CHAP_Source.SQLServer.html#CHAP_Source.SQLServer.AlwaysOn). +