- Knowledge Base
- Amazon Web Services
- AWS Database Migration Service
- DMS Replication Instances Encrypted with KMS CMKs
Ensure that the data managed by your AWS Database Migration Service (DMS) replication instances is encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the DMS service when there are no customer-managed keys defined) in order to have a more granular control over AWS DMS data-at-rest encryption and decryption process.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon DMS encrypts the storage used by your replication instances and the endpoint connection information associated with these instances. When you use your own AWS KMS Customer Master Keys (CMKs) to protect your DMS data from unauthorized users, you have full control over who can use the encryption keys to access your data. AWS KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon DMS replication instances.
Audit
To determine the encryption status and configuration for your AWS DMS replication instances, perform the following actions:
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to Database Migration Service dashboard at https://console.aws.amazon.com/dms/.
03 In the left navigation panel, choose Replication instances.
04 Select the AWS DMS replication instance that you want to examine and open the panel with the selected resource configuration details.
05 Select the Overview tab from the dashboard bottom panel and note the Amazon Resource Name (ARN) of the encryption key used by the instance, listed as value for the KMS master key configuration attribute.
06 Now navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
07 In the left navigation panel, click Encryption Keys.
08 Select the appropriate AWS region from the Filter menu (must match the region where your replication instance is running).
09 Choose the KMS key with the alias set to aws/dms, then click on its name link to access the key details.
10 On the selected KMS key configuration page, under Summary, check the key ARN listed as value for the ARN attribute. If the aws/dms key Amazon Resource Name and the ARN identified at step no. 5 match, the selected Amazon Database Migration Service replication instance is encrypted using the default master key (AWS-managed key) instead of a customer-managed CMK.
11 Repeat steps no. 4 – 10 to determine the encryption status and configuration for other AWS DMS replication instances available in the current region.
12 Change the AWS region from the console navigation bar and repeat the audit process for other regions.
Using AWS CLI
01 Run describe-replication-instances command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all DMS replication instances available in the selected AWS region:
aws dms describe-replication-instances --region us-east-1 --query "ReplicationInstances[*].ReplicationInstanceArn"
02 The command output should return the requested Amazon Resource Names:
[ "arn:aws:dms:us-east-1:123456789012:rep:AAAABBBBCCCCDDDDAAAABBBBCC", "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCDABCDABCDABCDABCDAB" ]
03 Run describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the DMS replication instance that you want to examine as identifier and custom query filters to return the ARN of the AWS KMS key used to encrypt the data managed by the selected instance:
aws dms describe-replication-instances --region us-east-1 --filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:AAAABBBBCCCCDDDDAAAABBBBCC --query "ReplicationInstances[*].KmsKeyId"
04 The command output should return the requested key Amazon Resource Name (ARN):
[ "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcdabcdabcd" ]
05 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier and custom query filters to expose the name of the manager (either "AWS" or "CUSTOMER") for the encryption key used:
aws aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcdabcdabcd --query 'KeyMetadata.KeyManager'
06 The command output should return the selected key manager name:
"AWS"
If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected Amazon Database Migration Service replication instance is encrypted with the default key (i.e. AWS-managed key) instead of a KMS Customer Master Key (CMK).
07 Repeat steps no. 3 – 6 to determine the encryption status and configuration for other AWS DMS replication instances available in the current region.
08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.
Remediation / Resolution
To encrypt an existing Amazon DMS replication instance with your own AWS KMS Customer Master Key (CMK) you have to re-create the instance with the right encryption configuration. To launch a new DMS replication instance and assign a KMS CMK to the newly created resource, perform the following actions:
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel click Encryption Keys.
04 Select the appropriate AWS region from the Filter menu (must match the region where your replication instance is currently running).
05 Click Create Key button from the dashboard top menu.
06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.
07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.
08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the AWS DMS data with the AWS KMS API.
09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the data managed by your Amazon DMS replication instance. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.
10 Click Next Step to continue.
11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: <cmk-alias>".
12 Once the KMS CMK has been created, navigate to DMS dashboard at https://console.aws.amazon.com/dms/.
13 In the left navigation panel, choose Replication instances.
14 Select the AWS DMS replication instance that you want to recreate (see Audit section part I to identify the right DMS resource).
15 Select the Overview tab from the dashboard bottom panel and copy the configuration details necessary for replication instance relaunch, details such as Instance class, Engine version, VPC Security Group(s), Allocated storage (GB) and so on.
16 Click Create replication instance button from the dashboard top menu to start the launch process.
17 On the Create replication instance page, perform the following:
- In the Name box, provide a unique name for your new DMS replication instance.
- Click the Advanced tab to show the instance advanced settings and from KMS master key select the ARN of the AWS KMS Customer Master Key created earlier in the remediation/resolution process.
- Configure the rest of the settings available on the page using the configuration details copied at step no. 15.
- Click Create replication instance to launch your new AWS DMS replication instance.
18 Select the source DMS replication instance (i.e. the instance encrypted with AWS managed key), then click the Delete button from the dashboard top menu.
19 Within Delete replication instance dialog box, review the instance details then click Delete to terminate the selected DMS resource.
20 Repeat step no. 14 – 19 to enable data-at-rest encryption using KMS Customer Master Keys for other Amazon DMS replication instances available in the current region.
21 Change the AWS region from the navigation bar and repeat the entire process for other regions.
Using AWS CLI
01 Before creating your KMS CMK key, you must define a policy that enables your selected IAM users and/or roles to administer the new KMS Customer Master Key and to encrypt/decrypt the data managed by the DMS replication instances using the AWS KMS API. Create a new policy document called dms-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{ "Version": "2012-10-17", "Id": "dms-custom-key-policy", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012
:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Grant access to CMK manager", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AmazonDMSManager
" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow the use of the CMK", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/DMSAdmin
" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/DMSAdmin
" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }
02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. dms-kms-cmk-policy.json) as required command parameter to create the new KMS CMK:
aws kms create-key --region us-east-1 --description 'KMS CMK for encrypting DMS replication instance data' --policy file://dms-kms-cmk-policy.json
03 The command output should return the new KMS CMK metadata. Copy the CMK ARN (Arn parameter value - highlighted) as this identifier will be required later when you have to specify the key required for the AWS DMS replication instance encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
"Description": "KMS CMK for encrypting DMS replication instance data",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517236211.130,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd
",
"AWSAccountId": "123456789012"
}
}
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not return an output):
aws kms create-alias --region us-east-1 --alias-name alias/AWSDMSCustomCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd
05 Run describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the DMS replication instance that you want to relaunch as identifier, to return the configuration information available for the selected instance:
aws dms describe-replication-instances --region us-east-1 --filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:AAAABBBBCCCCDDDDAAAABBBBCC
06 The command output should return the requested configuration details. This information will be useful during the new DMS replication instance launch:
{ "ReplicationInstances": [ { "MultiAZ": false, "AvailabilityZone": "us-east-1a", "ReplicationInstancePrivateIpAddress": "172.31.13.106", "ReplicationInstanceArn": "arn:aws:dms:us-east-1:123456789012:rep:AAAABBBBCCCCDDDDAAAABBBBCC", "ReplicationInstanceClass": "dms.t2.medium", "AutoMinorVersionUpgrade": true, "ReplicationInstanceStatus": "available", ... "InstanceCreateTime": 1548256277.342, "AllocatedStorage": 100, "EngineVersion": "3.1.2", "ReplicationInstanceIdentifier": "cc-db-replication-instance", "PubliclyAccessible": true, "PreferredMaintenanceWindow": "tue:08:46-tue:09:16", "PendingModifiedValues": {} } ] }
07 Run create-replication-instance command (OSX/Linux/UNIX) to launch your new Amazon DMS replication instance using the ARN of the KMS CMK copied at step no. 3 as value for the --kms-key-id parameter, to associate the encryption key with the new instance. For any other configuration settings required to launch the replication instance, use the information returned at the previous step:
aws dms create-replication-instance --region us-east-1 --replication-instance-identifier cc-encrypted-replication-instance --allocated-storage 100 --replication-instance-class dms.t2.medium --vpc-security-group-ids sg-1234abcd1234abcda --replication-subnet-group-identifier default-vpc-abcdabcd --availability-zone us-east-1a --engine-version 3.1.2 --publicly-accessible --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd
08 The command output should return the new AWS DMS replication instance metadata:
"ReplicationInstance": { "MultiAZ": true, "AvailabilityZone": "us-east-1a", "ReplicationInstancePrivateIpAddress": "172.31.15.205", "ReplicationInstanceClass": "dms.t2.medium", "AutoMinorVersionUpgrade": true, "ReplicationInstanceStatus": "available", ... "InstanceCreateTime": 1548256866.200, "AllocatedStorage": 100, "EngineVersion": "3.1.2", "ReplicationInstanceIdentifier": "cc-encrypted-replication-instance", "PubliclyAccessible": true, "PreferredMaintenanceWindow": "tue:08:46-tue:09:16", } }
09 Run delete-replication-instance command (OSX/Linux/UNIX) to terminate the source Amazon DMS replication instance, in order to stop adding charges for the resource:
aws dms delete-replication-instance --region us-east-1 --replication-instance-arn arn:aws:dms:us-east-1:123456789012:rep:AAAABBBBCCCCDDDDAAAABBBBCC
10 The command output should return the command request metadata:
{ "ReplicationInstances": [ { "AvailabilityZone": "us-east-1a", "ReplicationInstancePrivateIpAddress": "172.31.13.106", "ReplicationInstanceClass": "dms.t2.medium", "AutoMinorVersionUpgrade": true, "ReplicationInstanceStatus": "available", ... "AllocatedStorage": 100, "EngineVersion": "3.1.2", "ReplicationInstanceIdentifier": "cc-db-replication-instance", "PubliclyAccessible": true, "PreferredMaintenanceWindow": "tue:08:46-tue:09:16", "PendingModifiedValues": {} } ] }
11 Repeat steps no. 5 – 10 to enable data-at-rest encryption using KMS Customer Master Keys for other Amazon DMS replication instances available within the selected region.
12 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.
References
- AWS Documentation
- AWS Database Migration Service FAQs
- How AWS Database Migration Service Works
- Working with an AWS DMS Replication Instance
- https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.EncryptionKey.html
- AWS Command Line Interface (CLI) Documentation
- dms
- describe-replication-instances
- create-replication-instance
- delete-replication-instance
- kms
- describe-key
- create-key
- create-alias