|
Publicly Accessible DMS Replication Instances
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your Amazon Database Migration Service (DMS) are not publicly accessible from the Internet in order to avoid exposing private data and minimize security risks. A DMS replication instance should have a private IP address and the Publicly Accessible feature disabled when both the source and the target databases are in the same network that is connected to the instance's VPC through a VPN, VPC peering connection, or using an AWS Direct Connect dedicated connection.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When your AWS DMS replication instances are publicly accessible and have public IP addresses, any machine outside the VPC can establish a connection to these instances, increasing the attack surface and the opportunity for malicious activity. Of course, the level of access to your replication instances depends on their use cases, however, for most use cases the instances should be privately accessible only from within your Amazon Virtual Private Cloud (VPC).
To determine if your DMS replication instances are publicly accessible, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to Database Migration Service (DMS) dashboard at https://console.aws.amazon.com/dms/.
03 In the left navigation panel, choose Replication instances.
04 Select the DMS replication instance that you want to examine to open the panel with the resource configuration details.
05 Select the Overview tab from the dashboard bottom panel and check the Publicly accessible configuration attribute value. If the attribute value is set to Yes, the selected Amazon DMS replication instance is accessible outside the Virtual Private Cloud (VPC) and can be exposed to security risks.
06 Repeat step no. 4 and 5 for each AWS DMS replication instance provisioned in the selected AWS region.
07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.
01 Run describe-replication-instances command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all DMS replication instances available in the selected AWS region:
aws dms describe-replication-instances --region us-east-1 --query "ReplicationInstances[*].ReplicationInstanceArn"
02 The command output should return the requested Amazon Resource Names:
[ "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A", "arn:aws:dms:us-east-1:123456789012:rep:1234ABCD1234ABCD1234ABCD4D" ]
03 Execute again describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the DMS replication instance that you want to examine as identifier and custom query filters to determine the access configuration status for the selected replication instance:
aws dms describe-replication-instances --region us-east-1 --filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A --query "ReplicationInstances[*].PubliclyAccessible"
04 The command output should return the requested configuration status (true for publicly accessible and false otherwise):
[
true
]
05 Repeat step no. 3 and 4 for each AWS DMS replication instance available in the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.
To disable public accessibility for your Amazon DMS replication instances, you must re-create these instances with the necessary configuration in order to be reachable only within your VPC network. To relaunch and configure your AWS DMS replication instances, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to Database Migration Service (DMS) dashboard at https://console.aws.amazon.com/dms/.
03 In the left navigation panel, choose Replication instances.
04 Select the AWS DMS replication instance that you want to re-create (see Audit section part I to identify the right resource).
05 Select the Overview tab from the dashboard bottom panel and copy the replication instance configuration attributes such as Instance class, Engine version, Allocated storage (GB), Replication Subnet Group, VPC Security Group(s) and so on. This information is required later when the new replication instance is created.
06 Click the Create replication instance button from the dashboard top menu to initiate the launch process.
07 On Create replication instance page, perform the following:
08 Update your database migration plan by developing a new migration task to include the newly created AWS DMS replication instance.
09 (Optional) To stop adding charges for the old replication instance, select the old DMS instance, then click the Delete button from the dashboard top menu.
10 Within Delete replication instance dialog box, review the instance details then click Delete to terminate the selected DMS resource.
11 Repeat steps no. 4 – 10 to disable public accessibility for other Amazon DMS replication instances available in the current region.
12 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the AWS DMS replication instance that you want to re-create (see Audit section part II to identify the right resource) to return the configuration metadata for the selected instance:
aws dms describe-replication-instances --region us-east-1 --filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A
02 The command output should return the instance configuration metadata. This information is required later when the new AWS DMS replication instance is created:
{
"ReplicationInstances": [
{
"AvailabilityZone": "us-east-1a",
"ReplicationInstancePrivateIpAddress": "172.20.15.10",
"ReplicationInstanceArn": "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A",
"ReplicationInstancePrivateIpAddresses": [
"172.20.15.10"
],
"ReplicationInstanceClass": "dms.c4.large",
"VpcId": "vpc-abcd1234",
"SubnetGroupStatus": "Complete",
"ReplicationSubnetGroupIdentifier": "default-vpc-abcd1234"
},
...
"AutoMinorVersionUpgrade": true,
"ReplicationInstanceStatus": "available",
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-01234abcd1234abcd"
}
],
"InstanceCreateTime": 1550737188.133,
"AllocatedStorage": 150,
"EngineVersion": "3.1.2",
"ReplicationInstanceIdentifier": "cc-mysql-replication-server",
"PubliclyAccessible": true,
"PreferredMaintenanceWindow": "thu:18:15-thu:18:45"
}
]
}
03 Run create-replication-instance command (OSX/Linux/UNIX) to create your new Amazon DMS replication instance using the configuration attributes returned at the previous step. Use --no-publicly-accessible command parameter to disable public accessibility for the new instance. During launch process, AWS DMS will skip attaching a public IP address to the instance in order to restrict public access, outside the instance’s VPC:
aws dms create-replication-instance --region us-east-1 --replication-instance-identifier cc-private-replication-instance --replication-instance-class dms.c4.large --allocated-storage 150 --engine-version 3.1.2 --availability-zone us-east-1a --replication-subnet-group-identifier default-vpc-abcd1234 --vpc-security-group-ids sg-01234abcd1234abcd --no-publicly-accessible
04 The command output should return the metadata for the new AWS DMS replication instance:
{
"ReplicationInstances": [
{
"AvailabilityZone": "us-east-1a",
"ReplicationInstancePrivateIpAddress": "172.30.5.138",
"ReplicationInstanceArn": "arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A",
"ReplicationInstancePrivateIpAddresses": [
"172.30.5.138"
],
"ReplicationInstanceClass": "dms.c4.large",
"VpcId": "vpc-abcd1234",
"SubnetGroupStatus": "Complete",
"ReplicationSubnetGroupIdentifier": "default-vpc-abcd1234"
},
...
"AutoMinorVersionUpgrade": true,
"ReplicationInstanceStatus": "available",
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-01234abcd1234abcd"
}
],
"AllocatedStorage": 150,
"EngineVersion": "3.1.2",
"ReplicationInstanceIdentifier": "cc-private-replication-instance",
"ReplicationInstanceStatus": "creating",
"PreferredMaintenanceWindow": "thu:18:15-thu:18:45"
}
]
}
05 Update your database migration plan by creating a new migration task to include the newly launched AWS DMS replication instance.
06 (Optional) To stop adding charges for the old replication instance, run delete-replication-instance command (OSX/Linux/UNIX) to terminate the old AWS DMS instance:
aws dms delete-replication-instance --region us-east-1 --replication-instance-arn arn:aws:dms:us-east-1:123456789012:rep:ABCDABCD12341234ABCDABCD1A
07 The command output should return the command request metadata:
{
"ReplicationInstances": [
{
"AvailabilityZone": "us-east-1a",
"ReplicationInstancePrivateIpAddress": "172.20.15.10",
"ReplicationInstanceClass": "dms.c4.large",
"AutoMinorVersionUpgrade": true,
"ReplicationInstanceStatus": "available",
...
"AllocatedStorage": 150,
"EngineVersion": "3.1.2",
"ReplicationInstanceIdentifier": "cc-mysql-replication-server",
"PubliclyAccessible": true,
"PreferredMaintenanceWindow": "thu:18:15-thu:18:45",
}
]
}
08 Repeat step no. 1 – 7 to disable public accessibility for other Amazon DMS replication instances available in the current region.
09 Change the AWS region by updating the --region command parameter value and repeat the remediation process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat