AWS Database Migration Service

DMS Public Replication Instance

This plugin makes it possible to avoid exposing personal data and to reduce security concerns.

Risk Level: High

Description: 

This plugin makes it possible to avoid exposing personal data and to reduce security concerns. Their Database Migration Service (DMS) is not publicly available from the Internet. A private IP address and the Publicly Accessible function of a DMS replication instance should be deactivated if the source and the destination databases are located in the same network that connects with a VPC instance through a VPN, VPC peering, or AWS Direct Connect connection.

PingSafe strongly recommends disabling public access to all DMS replication instances.

About the Service :

AWS Database Migration Service (AWS DMS) enables you to rapidly and securely move databases to AWS. During the migration, the source database remains fully operational, reducing downtime to applications based on the database. The AWS Database Migration Service can move your data from and to the commercial and open source most often used databases.

Impact : 

Any computer outside the VPC can connect to these instances if your AWS DMS replication systems are accessible publicly and have public IP addresses, increase the attack surface and the chance of a malicious activity.. Naturally, the amount of access to your replication instances depends on their use cases, but most scenarios should only be available privately via your Amazon virtual private cloud (VPC).

Steps to reproduce :

  1. Log in to AWS Console.
  2. Navigate to the DMS i.e. Database Migration Service dashboard. (https://us-east-2.console.aws.amazon.com/dms/ )
  3. Select Replication Instances in the left navigation panel.
  4. Click on the instance that you want to examine.
  5. Check the Publicly accessible configuration attribute value in the Overview tab. If the attribute value is set to Yes, the selected Amazon DMS replication instance is accessible outside the Virtual Private Cloud (VPC) and can be exposed to security risks.
  6. Repeat steps for other replication instance.

 

Steps for remediation :


  1. Log in to AWS Console.
  2. Navigate to the DMS i.e. Database Migration Service dashboard. (https://us-east-2.console.aws.amazon.com/dms/ )
  3. Select Replication Instances in the left navigation panel.
  4. Click on the instance that you want to examine.
  5. Copy the replication instance configuration attributes such as Instance class, Engine version, Allocated storage (GB), Replication Subnet Group, VPC Security Group(s) and so on from the Overview tab.
  6. To initiate the launch process click on the Create Replication Instance.
  7. Uncheck Publicly accessible checkbox to disable the public access , Provide a unique name for the new replication instance within the Name box and then click Create replication instance to launch your new Amazon DMS instance.
  8. Update your database migration plan by developing a new migration task to include the newly created AWS DMS replication instance.
  9. Review the instance details then click Delete to terminate the selected DMS resource within Delete replication instance dialog box.
  10. Repeat steps to disable public accessibility for other Amazon DMS replication instances available in the current region.

 

References: