Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Publicly Accessible DMS Replication Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: DMS-001

Ensure that your Amazon Database Migration Service (DMS) are not publicly accessible from the Internet in order to avoid exposing private data and minimize security risks. A DMS replication instance should have a private IP address and the Publicly Accessible feature disabled when both the source and the target databases are in the same network that is connected to the instance's VPC through a VPN, VPC peering connection, or using an AWS Direct Connect dedicated connection.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When your AWS DMS replication instances are publicly accessible and have public IP addresses, any machine outside the VPC can establish a connection to these instances, increasing the attack surface and the opportunity for malicious activity. Of course, the level of access to your replication instances depends on their use cases, however, for most use cases the instances should be privately accessible only from within your Amazon Virtual Private Cloud (VPC).


Audit

To determine if your DMS replication instances are publicly accessible, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Database Migration Service (DMS) dashboard at https://console.aws.amazon.com/dms/v2.

03 In the left navigation panel, choose Replication instances.

04 Select the DMS replication instance that you want to examine to open the panel with the resource configuration details.

05 Select the Overview tab from the dashboard bottom panel and check the Publicly accessible configuration attribute value. If the attribute value is set to Yes, the selected Amazon DMS replication instance is accessible outside the Virtual Private Cloud (VPC) and can be exposed to security risks.

06 Repeat step no. 4 and 5 for each AWS DMS replication instance provisioned in the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-replication-instances command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all DMS replication instances available in the selected AWS region:

aws dms describe-replication-instances
	--region us-east-1
	--query "ReplicationInstances[*].ReplicationInstanceArn"

02 The command output should return the requested Amazon Resource Names:

[
  	"arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A",
  	"arn:aws:dms:us-east-1:123456789012:rep:1234ABCD1234ABCD1234ABCD4D"
]

03 Execute again describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the DMS replication instance that you want to examine as identifier and custom query filters to determine the access configuration status for the selected replication instance:

aws dms describe-replication-instances
	--region us-east-1
	--filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A
	--query "ReplicationInstances[*].PubliclyAccessible"

04 The command output should return the requested configuration status (true for publicly accessible and false otherwise):

[
    true
]

If the command output returns true, as shown in the example above, the selected Amazon DMS replication instance is publicly accessible to anyone on the Internet, therefore the instance can be exposed to various security threats.

05 Repeat step no. 3 and 4 for each AWS DMS replication instance available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To disable public accessibility for your Amazon DMS replication instances, you must re-create these instances with the necessary configuration in order to be reachable only within your VPC network. To relaunch and configure your AWS DMS replication instances, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Database Migration Service (DMS) dashboard at https://console.aws.amazon.com/dms/v2.

03 In the left navigation panel, choose Replication instances.

04 Select the AWS DMS replication instance that you want to re-create (see Audit section part I to identify the right resource).

05 Select the Overview tab from the dashboard bottom panel and copy the replication instance configuration attributes such as Instance class, Engine version, Allocated storage (GB), Replication Subnet Group, VPC Security Group(s) and so on. This information is required later when the new replication instance is created.

06 Click the Create replication instance button from the dashboard top menu to initiate the launch process.

07 On Create replication instance page, perform the following:

  1. Uncheck Publicly accessible checkbox to disable the public access to the new replication instance. If this setting is disabled, Amazon DMS will not assign a public IP address to the instance at creation and you will not be able to connect to the source/target databases outside the VPC.
  2. Provide a unique name for the new replication instance within the Name box, then configure the rest of the instance settings using the configuration information copied at step no. 5.
  3. Click Create replication instance to launch your new Amazon DMS instance.

08 Update your database migration plan by developing a new migration task to include the newly created AWS DMS replication instance.

09 (Optional) To stop adding charges for the old replication instance, select the old DMS instance, then click the Delete button from the dashboard top menu.

10 Within Delete replication instance dialog box, review the instance details then click Delete to terminate the selected DMS resource.

11 Repeat steps no. 4 – 10 to disable public accessibility for other Amazon DMS replication instances available in the current region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the AWS DMS replication instance that you want to re-create (see Audit section part II to identify the right resource) to return the configuration metadata for the selected instance:

aws dms describe-replication-instances
	--region us-east-1
	--filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A

02 The command output should return the instance configuration metadata. This information is required later when the new AWS DMS replication instance is created:

{
    "ReplicationInstances": [
        {
            "AvailabilityZone": "us-east-1a",
            "ReplicationInstancePrivateIpAddress": "172.20.15.10",
            "ReplicationInstanceArn": "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A",
            "ReplicationInstancePrivateIpAddresses": [
                "172.20.15.10"
            ],
            "ReplicationInstanceClass": "dms.c4.large",
                "VpcId": "vpc-abcd1234",
                "SubnetGroupStatus": "Complete",
                "ReplicationSubnetGroupIdentifier": "default-vpc-abcd1234"
            },

            ...

            "AutoMinorVersionUpgrade": true,
            "ReplicationInstanceStatus": "available",
            "VpcSecurityGroups": [
                {
                    "Status": "active",
                    "VpcSecurityGroupId": "sg-01234abcd1234abcd"
                }
            ],
            "InstanceCreateTime": 1550737188.133,
            "AllocatedStorage": 150,
            "EngineVersion": "3.1.2",
            "ReplicationInstanceIdentifier": "cc-mysql-replication-server",
            "PubliclyAccessible": true,
            "PreferredMaintenanceWindow": "thu:18:15-thu:18:45"
        }
    ]
}

03 Run create-replication-instance command (OSX/Linux/UNIX) to create your new Amazon DMS replication instance using the configuration attributes returned at the previous step. Use --no-publicly-accessible command parameter to disable public accessibility for the new instance. During launch process, AWS DMS will skip attaching a public IP address to the instance in order to restrict public access, outside the instance’s VPC:

aws dms create-replication-instance
	--region us-east-1
	--replication-instance-identifier cc-private-replication-instance
	--replication-instance-class dms.c4.large
	--allocated-storage 150
	--engine-version 3.1.2
	--availability-zone us-east-1a
	--replication-subnet-group-identifier default-vpc-abcd1234
	--vpc-security-group-ids sg-01234abcd1234abcd
	--no-publicly-accessible

04 The command output should return the metadata for the new AWS DMS replication instance:

{
    "ReplicationInstances": [
        {
            "AvailabilityZone": "us-east-1a",
            "ReplicationInstancePrivateIpAddress": "172.30.5.138",
            "ReplicationInstanceArn": "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A",
            "ReplicationInstancePrivateIpAddresses": [
                "172.30.5.138"
            ],
            "ReplicationInstanceClass": "dms.c4.large",
                "VpcId": "vpc-abcd1234",
                "SubnetGroupStatus": "Complete",
                "ReplicationSubnetGroupIdentifier": "default-vpc-abcd1234"
            },

            ...

            "AutoMinorVersionUpgrade": true,
            "ReplicationInstanceStatus": "available",
            "VpcSecurityGroups": [
                {
                    "Status": "active",
                    "VpcSecurityGroupId": "sg-01234abcd1234abcd"
                }
            ],
            "AllocatedStorage": 150,
            "EngineVersion": "3.1.2",
            "ReplicationInstanceIdentifier": "cc-private-replication-instance",
            "ReplicationInstanceStatus": "creating",
            "PreferredMaintenanceWindow": "thu:18:15-thu:18:45"
        }
    ]
}

05 Update your database migration plan by creating a new migration task to include the newly launched AWS DMS replication instance.

06 (Optional) To stop adding charges for the old replication instance, run delete-replication-instance command (OSX/Linux/UNIX) to terminate the old AWS DMS instance:

aws dms delete-replication-instance
	--region us-east-1
	--replication-instance-arn arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A

07 The command output should return the command request metadata:

{
    "ReplicationInstances": [
        {
            "AvailabilityZone": "us-east-1a",
            "ReplicationInstancePrivateIpAddress": "172.20.15.10",
            "ReplicationInstanceClass": "dms.c4.large",
            "AutoMinorVersionUpgrade": true,
            "ReplicationInstanceStatus": "available",

            ...

            "AllocatedStorage": 150,
            "EngineVersion": "3.1.2",
            "ReplicationInstanceIdentifier": "cc-mysql-replication-server",
            "PubliclyAccessible": true,
            "PreferredMaintenanceWindow": "thu:18:15-thu:18:45",
        }
    ]
}

08 Repeat step no. 1 – 7 to disable public accessibility for other Amazon DMS replication instances available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat the remediation process for other regions.

References