Skip to main content

More Info:

This rule checks whether AWS Database Migration Service (DMS) endpoints are configured with an SSL connection. Using SSL encryption enhances the security of data transferred through DMS endpoints. The rule is marked as non-compliant if AWS DMS does not have an SSL connection configured.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration of Database Migration Service Endpoints not having SSL configuration for AWS RDS using the AWS console, follow these step-by-step instructions:
  1. Login to AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to RDS Service: Click on the “Services” dropdown menu at the top left corner, then select “RDS” under the Database category.
  3. Select the RDS Instance: From the list of RDS instances, select the instance for which you want to enable SSL configuration.
  4. Modify the RDS Instance: Click on the instance name to open its details page. Then, click on the “Modify” button at the top.
  5. Enable SSL: Scroll down to the “Network & Security” section, and locate the “Additional configuration” option. Here, you will find the “Enable IAM DB authentication” option. Enable this option by selecting the checkbox.
  6. Apply Changes: Scroll down to the bottom of the page and click on the “Continue” button.
  7. Review Changes: Review the changes you are about to make, and then click on the “Modify DB Instance” button to apply the changes.
  8. Verify SSL Configuration: Once the modification is complete, verify that the SSL configuration is enabled for the Database Migration Service Endpoints by connecting to the RDS instance using SSL.
By following these steps, you will successfully remediate the misconfiguration of Database Migration Service Endpoints not having SSL configuration for AWS RDS using the AWS console.

To remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using the AWS CLI, follow these steps:
  1. Enable SSL for the RDS instance:
    • Run the following AWS CLI command to modify the RDS instance to enable SSL: 
      aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --apply-immediately --no-apply-immediately
    • Replace YOUR_DB_INSTANCE_IDENTIFIER with the identifier of your RDS instance.
  2. Verify SSL configuration:
    • Confirm that SSL is enabled for the RDS instance by describing the instance using the following command: 
      aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, DBInstanceStatus:DBInstanceStatus, Endpoint:Endpoint}'
    • Ensure that the Endpoint section includes the SSL: true attribute.
  3. Restart the RDS instance:
    • If the SSL configuration does not take effect immediately, you may need to restart the RDS instance. Run the following command: 
      aws rds reboot-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER
    • This will trigger a reboot of the RDS instance to apply the SSL configuration changes.
  4. Verify SSL connection:
    • Test the SSL connection to the RDS instance using a database client that supports SSL connections. Ensure that the connection is successful and encrypted.
By following these steps, you can remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using the AWS CLI.
To remediate the misconfiguration of Database Migration Service endpoints not having SSL configuration for AWS RDS using Python, you can follow these steps:
  1. Install the AWS SDK for Python (Boto3) if you haven’t already:
pip install boto3
  1. Use the following Python script to enable SSL for your AWS RDS instance:
import boto3

# Define the AWS region and RDS instance identifier
region = 'your_aws_region'
db_instance_identifier = 'your_rds_instance_identifier'

# Create an RDS client
rds_client = boto3.client('rds', region_name=region)

# Modify the RDS instance to enable SSL
response = rds_client.modify_db_instance(
    DBInstanceIdentifier=db_instance_identifier,
    ApplyImmediately=True,
    DBInstanceIdentifier=db_instance_identifier,
    Engine='mysql',  # Change the engine if necessary
    OptionGroupName='default:mysql-5-7',  # Change the option group if necessary
    EnableIAMDatabaseAuthentication=False,
    PubliclyAccessible=False,
    ApplyImmediately=True,
    CloudwatchLogsExportConfiguration={},
    EnablePerformanceInsights=False,
    MonitoringInterval=0,
    PerformanceInsightsKMSKeyId='',
    PerformanceInsightsRetentionPeriod=7,
    EnableEnhancedMonitoring=False,
    MonitoringRoleArn='',
    PromotionTier=0,
    OptionGroupName='default:mysql-5-7',
    DBParameterGroupName='default:mysql-5-7',
    VpcSecurityGroupIds=[
        'your_security_group_id',
    ],
    ApplyImmediately=True,
    EngineVersion='5.7.30',
    MasterUserPassword='your_master_password',
    PreferredBackupWindow='02:00-03:00',
    BackupRetentionPeriod=7,
    PreferredMaintenanceWindow='sun:04:00-sun:05:00',
    CopyTagsToSnapshot=False,
    LicenseModel='general-public-license',
    StorageType='gp2',
    StorageEncrypted=True,
    MultiAZ=False,
    AutoMinorVersionUpgrade=True,
    PubliclyAccessible=False,
    DBInstanceClass='db.t2.micro',
    AllocatedStorage=20,
    DBInstanceIdentifier=db_instance_identifier
)

print("SSL configuration enabled for RDS instance: ", response)
  1. Replace the placeholders (‘your_aws_region’, ‘your_rds_instance_identifier’, ‘your_security_group_id’, ‘your_master_password’) with your actual AWS region, RDS instance identifier, security group ID, and master password.
  2. Run the Python script to enable SSL configuration for your AWS RDS instance.
After following these steps, the SSL configuration for the Database Migration Service endpoints should be enabled for your AWS RDS instance.
I