Amazon DMS Replication Instance Is Publicly Accessible

  • Query id: 5864fb39-d719-4182-80e2-89dbe627be63
  • Query name: Amazon DMS Replication Instance Is Publicly Accessible
  • Platform: CloudFormation
  • Severity: Critical
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  ReplicationInstance:
    Type: "AWS::DMS::ReplicationInstance"
    Properties:
      ReplicationInstanceIdentifier: my-replication-instance
      ReplicationInstanceClass: dms.r5.large
      AllocatedStorage: 100
      EngineVersion: "3.4.3"
      PubliclyAccessible: true
Positive test num. 2 - yaml file
Resources:
  ReplicationInstance:
    Type: "AWS::DMS::ReplicationInstance"
    Properties:
      ReplicationInstanceIdentifier: my-replication-instance
      ReplicationInstanceClass: dms.r5.large
      AllocatedStorage: 100
      EngineVersion: "3.4.3"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  ReplicationInstance:
    Type: "AWS::DMS::ReplicationInstance"
    Properties:
      ReplicationInstanceIdentifier: my-replication-instance
      ReplicationInstanceClass: dms.r5.large
      AllocatedStorage: 100
      EngineVersion: "3.4.3"
      PubliclyAccessible: false