AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Database Migration Service Endpoints Should Have SSL Configuration
More Info:
This rule checks whether AWS Database Migration Service (DMS) endpoints are configured with an SSL connection. Using SSL encryption enhances the security of data transferred through DMS endpoints. The rule is marked as non-compliant if AWS DMS does not have an SSL connection configured.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of Database Migration Service Endpoints not having SSL configuration for AWS RDS using the AWS console, follow these step-by-step instructions:
-
Login to AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com/.
-
Navigate to RDS Service: Click on the “Services” dropdown menu at the top left corner, then select “RDS” under the Database category.
-
Select the RDS Instance: From the list of RDS instances, select the instance for which you want to enable SSL configuration.
-
Modify the RDS Instance: Click on the instance name to open its details page. Then, click on the “Modify” button at the top.
-
Enable SSL: Scroll down to the “Network & Security” section, and locate the “Additional configuration” option. Here, you will find the “Enable IAM DB authentication” option. Enable this option by selecting the checkbox.
-
Apply Changes: Scroll down to the bottom of the page and click on the “Continue” button.
-
Review Changes: Review the changes you are about to make, and then click on the “Modify DB Instance” button to apply the changes.
-
Verify SSL Configuration: Once the modification is complete, verify that the SSL configuration is enabled for the Database Migration Service Endpoints by connecting to the RDS instance using SSL.
By following these steps, you will successfully remediate the misconfiguration of Database Migration Service Endpoints not having SSL configuration for AWS RDS using the AWS console.
To remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using the AWS CLI, follow these steps:
-
Enable SSL for the RDS instance:
- Run the following AWS CLI command to modify the RDS instance to enable SSL:
aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --apply-immediately --no-apply-immediately - Replace
YOUR_DB_INSTANCE_IDENTIFIERwith the identifier of your RDS instance.
- Run the following AWS CLI command to modify the RDS instance to enable SSL:
-
Verify SSL configuration:
- Confirm that SSL is enabled for the RDS instance by describing the instance using the following command:
aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, DBInstanceStatus:DBInstanceStatus, Endpoint:Endpoint}' - Ensure that the
Endpointsection includes theSSL: trueattribute.
- Confirm that SSL is enabled for the RDS instance by describing the instance using the following command:
-
Restart the RDS instance:
- If the SSL configuration does not take effect immediately, you may need to restart the RDS instance. Run the following command:
aws rds reboot-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER - This will trigger a reboot of the RDS instance to apply the SSL configuration changes.
- If the SSL configuration does not take effect immediately, you may need to restart the RDS instance. Run the following command:
-
Verify SSL connection:
- Test the SSL connection to the RDS instance using a database client that supports SSL connections. Ensure that the connection is successful and encrypted.
By following these steps, you can remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using the AWS CLI.
To remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) if you haven’t already:
pip install boto3
- Use the following Python script to enable SSL for your AWS RDS instance:
import boto3
# Define the AWS region and RDS instance identifier
region = 'your_aws_region'
db_instance_identifier = 'your_rds_instance_identifier'
# Create an RDS client
rds_client = boto3.client('rds', region_name=region)
# Modify the RDS instance to enable SSL
response = rds_client.modify_db_instance(
DBInstanceIdentifier=db_instance_identifier,
ApplyImmediately=True,
DBInstanceIdentifier=db_instance_identifier,
Engine='mysql', # Change the engine if necessary
OptionGroupName='default:mysql-5-7', # Change the option group if necessary
EnableIAMDatabaseAuthentication=False,
PubliclyAccessible=False,
ApplyImmediately=True,
CloudwatchLogsExportConfiguration={},
EnablePerformanceInsights=False,
MonitoringInterval=0,
PerformanceInsightsKMSKeyId='',
PerformanceInsightsRetentionPeriod=7,
EnableEnhancedMonitoring=False,
MonitoringRoleArn='',
PromotionTier=0,
OptionGroupName='default:mysql-5-7',
DBParameterGroupName='default:mysql-5-7',
VpcSecurityGroupIds=[
'your_security_group_id',
],
ApplyImmediately=True,
EngineVersion='5.7.30',
MasterUserPassword='your_master_password',
PreferredBackupWindow='02:00-03:00',
BackupRetentionPeriod=7,
PreferredMaintenanceWindow='sun:04:00-sun:05:00',
CopyTagsToSnapshot=False,
LicenseModel='general-public-license',
StorageType='gp2',
StorageEncrypted=True,
MultiAZ=False,
AutoMinorVersionUpgrade=True,
PubliclyAccessible=False,
DBInstanceClass='db.t2.micro',
AllocatedStorage=20,
DBInstanceIdentifier=db_instance_identifier
)
print("SSL configuration enabled for RDS instance: ", response)
-
Replace the placeholders (‘your_aws_region’, ‘your_rds_instance_identifier’, ‘your_security_group_id’, ‘your_master_password’) with your actual AWS region, RDS instance identifier, security group ID, and master password.
-
Run the Python script to enable SSL configuration for your AWS RDS instance.
After following these steps, the SSL configuration for the Database Migration Service endpoints should be enabled for your AWS RDS instance.