DMS Replication Should Not Be Public

More Info:

Ensure DMS replication instance in not public

Risk Level

High

Address

Observability

Compliance Standards

HITRUST,CISEKS,SOC2,NISTCSF,PCIDSS,SEBI,RBI_MD_ITF,RBI_UCB

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the DMS replication being public for AWS RDS using AWS CLI, you can follow these steps:

Identify the DMS Replication Instance: First, you need to identify the DMS replication instance that is currently public. You can use the following AWS CLI command to list all the DMS replication instances:

aws dms describe-replication-instances

Update the Security Group: Once you have identified the DMS replication instance, you need to update the security group associated with it to restrict access. Get the security group ID from the DMS replication instance details and then run the following AWS CLI command to update the security group:

aws ec2 revoke-security-group-ingress --group-id YOUR_SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0

Replace YOUR_SECURITY_GROUP_ID with the actual security group ID associated with the DMS replication instance.

Verify the Changes: Finally, verify that the security group rules have been updated successfully by running the following AWS CLI command:

aws ec2 describe-security-groups --group-ids YOUR_SECURITY_GROUP_ID

Ensure that the inbound rules for port 443 (DMS replication port) do not allow access from 0.0.0.0/0.By following these steps, you can remediate the DMS replication being public for AWS RDS using AWS CLI.

Using Python

To remediate the misconfiguration of having DMS replication public for AWS RDS using Python, you can follow these steps:

Identify the Publicly Accessible DMS Replication Instance:
- Use the AWS SDK for Python (Boto3) to list all the DMS replication instances.
- Check if any of the replication instances have a publicly accessible endpoint.
Update the DMS Replication Instance to Not be Public:
- For each publicly accessible DMS replication instance, use the modify_replication_instance method in Boto3 to update the instance’s PubliclyAccessible parameter to False.

Python Script to Remediate:

import boto3

def remediate_public_dms_replication():
    client = boto3.client('dms')

    # List all DMS replication instances
    response = client.describe_replication_instances()

    for instance in response['ReplicationInstances']:
        if instance['PubliclyAccessible']:
            # Update the replication instance to not be publicly accessible
            client.modify_replication_instance(
                ReplicationInstanceArn=instance['ReplicationInstanceArn'],
                PubliclyAccessible=False
            )
            print(f"Updated DMS replication instance {instance['ReplicationInstanceArn']} to not be public.")

if __name__ == '__main__':
    remediate_public_dms_replication()

Run the Python Script:
- Save the above Python script to a file, for example, remediate_public_dms.py.
- Run the script using Python, ensuring that you have the necessary IAM permissions to modify DMS replication instances.
Verify the Remediation:
- After running the script, verify that the DMS replication instances are no longer publicly accessible by checking the PubliclyAccessible parameter for each instance.

By following these steps and running the provided Python script, you can successfully remediate the misconfiguration of having DMS replication public for AWS RDS.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

DMS Replication Should Not Be Public

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation