Database Migration Service Endpoints Should Have SSL Configuration

More Info:

This rule checks whether AWS Database Migration Service (DMS) endpoints are configured with an SSL connection. Using SSL encryption enhances the security of data transferred through DMS endpoints. The rule is marked as non-compliant if AWS DMS does not have an SSL connection configured.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using the AWS CLI, follow these steps:

Enable SSL for the RDS instance:
- Run the following AWS CLI command to modify the RDS instance to enable SSL:
  aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --apply-immediately --no-apply-immediately
- Replace YOUR_DB_INSTANCE_IDENTIFIER with the identifier of your RDS instance.

Verify SSL configuration:

Confirm that SSL is enabled for the RDS instance by describing the instance using the following command:

aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, DBInstanceStatus:DBInstanceStatus, Endpoint:Endpoint}'

Ensure that the Endpoint section includes the SSL: true attribute.

Restart the RDS instance:
- If the SSL configuration does not take effect immediately, you may need to restart the RDS instance. Run the following command:
  aws rds reboot-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER
- This will trigger a reboot of the RDS instance to apply the SSL configuration changes.
Verify SSL connection:
- Test the SSL connection to the RDS instance using a database client that supports SSL connections. Ensure that the connection is successful and encrypted.

By following these steps, you can remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using the AWS CLI.

Using Python

To remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using Python, you can follow these steps:

Install the AWS SDK for Python (Boto3) if you haven’t already:

pip install boto3

Use the following Python script to enable SSL for your AWS RDS instance:

import boto3

# Define the AWS region and RDS instance identifier
region = 'your_aws_region'
db_instance_identifier = 'your_rds_instance_identifier'

# Create an RDS client
rds_client = boto3.client('rds', region_name=region)

# Modify the RDS instance to enable SSL
response = rds_client.modify_db_instance(
    DBInstanceIdentifier=db_instance_identifier,
    ApplyImmediately=True,
    DBInstanceIdentifier=db_instance_identifier,
    Engine='mysql',  # Change the engine if necessary
    OptionGroupName='default:mysql-5-7',  # Change the option group if necessary
    EnableIAMDatabaseAuthentication=False,
    PubliclyAccessible=False,
    ApplyImmediately=True,
    CloudwatchLogsExportConfiguration={},
    EnablePerformanceInsights=False,
    MonitoringInterval=0,
    PerformanceInsightsKMSKeyId='',
    PerformanceInsightsRetentionPeriod=7,
    EnableEnhancedMonitoring=False,
    MonitoringRoleArn='',
    PromotionTier=0,
    OptionGroupName='default:mysql-5-7',
    DBParameterGroupName='default:mysql-5-7',
    VpcSecurityGroupIds=[
        'your_security_group_id',
    ],
    ApplyImmediately=True,
    EngineVersion='5.7.30',
    MasterUserPassword='your_master_password',
    PreferredBackupWindow='02:00-03:00',
    BackupRetentionPeriod=7,
    PreferredMaintenanceWindow='sun:04:00-sun:05:00',
    CopyTagsToSnapshot=False,
    LicenseModel='general-public-license',
    StorageType='gp2',
    StorageEncrypted=True,
    MultiAZ=False,
    AutoMinorVersionUpgrade=True,
    PubliclyAccessible=False,
    DBInstanceClass='db.t2.micro',
    AllocatedStorage=20,
    DBInstanceIdentifier=db_instance_identifier
)

print("SSL configuration enabled for RDS instance: ", response)

Replace the placeholders (‘your_aws_region’, ‘your_rds_instance_identifier’, ‘your_security_group_id’, ‘your_master_password’) with your actual AWS region, RDS instance identifier, security group ID, and master password.
Run the Python script to enable SSL configuration for your AWS RDS instance.

After following these steps, the SSL configuration for the Database Migration Service endpoints should be enabled for your AWS RDS instance.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Database Migration Service Endpoints Should Have SSL Configuration

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation