AWS Database Migration Service
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Database Migration Service

      DMS Encryption Using Non Existent KMS Key

      This plugin ensures DMS encryption is using a valid Customer-managed KMS key

      Risk Level: Medium

      Description: 

      This plugin ensures DMS encryption is using a valid Customer-managed KMS key. The data transfer process in AWS Data Migration Service must be encrypted in order to secure the data flow. If the KMS key is invalid, no encryption will be enabled.

      About the Service :

      AWS Database Migration Service (AWS DMS) enables you to rapidly and securely move databases to AWS. During the migration, the source database remains fully operational, reducing downtime to applications based on the database. The AWS Database Migration Service can move your data from and to the commercial and open source most often used databases.

      Impact : 

      It is highly recommended to properly encrypt AWS DMS migration process with customer-managed KMS keys. In case, the keys are invalid or deleted, the encryption will not be enabled and the data will be visible to an attacker if compromised.

      Steps to reproduce :

      1. Log in to AWS Console.
      2. Navigate to the DMS i.e. Database Migration Service dashboard. You can use the link (https://us-east-2.console.aws.amazon.com/dms/ ) if already logged in.
      3. Select Replication Instances in the left navigation panel.
      4. Click on the instance that you want to examine by clicking on its Name.
      5. Move to the Overview Details tab.
      6. In the Advanced security and network configuration section, copy the KMS key arn.
      7. Move to the KMS management console and shift to Customer-managed keys from the left navigation pane.
      8. In the filter keys search bar, paste the Key ARN copied before. If no keys are displayed in the result, the vulnerability exists.
      9. Repeat steps for other replication instances.

       

      Steps for remediation :

      Create a new DMS replication instance for all vulnerable instances and enable encryption using KMS CMKs.

      1. Log in to AWS Console.
      2. Navigate to the DMS i.e. Database Migration Service dashboard. You can use the link (https://us-east-2.console.aws.amazon.com/dms/ ) if already logged in.
      3. Select Replication Instances in the left navigation panel.
      4. Click on Create replication instance.
      5. Specify all the required details necessary. Expand the Advanced security and network configuration section and select Enter a key ARN in the KMS key section.
      6. Enter a valid and existing CMK ARN and click on Create.
      7. Click on the instance vulnerable by clicking on the checkbox next to it.
      8. From the Action menu, click on Delete.
      9. Repeat steps for all the vulnerable replication instances.