Amazon DMS Replication Instance Is Publicly Accessible

• Query id: 5864fb39-d719-4182-80e2-89dbe627be63
• Query name: Amazon DMS Replication Instance Is Publicly Accessible
• Platform: CloudFormation
• Severity: Critical
• Category: Access Control
• URL: Github

Description

Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

Resources:
  ReplicationInstance:
    Type: "AWS::DMS::ReplicationInstance"
    Properties:
      ReplicationInstanceIdentifier: my-replication-instance
      ReplicationInstanceClass: dms.r5.large
      AllocatedStorage: 100
      EngineVersion: "3.4.3"
      PubliclyAccessible: true

Positive test num. 2 - yaml file

Resources:
  ReplicationInstance:
    Type: "AWS::DMS::ReplicationInstance"
    Properties:
      ReplicationInstanceIdentifier: my-replication-instance
      ReplicationInstanceClass: dms.r5.large
      AllocatedStorage: 100
      EngineVersion: "3.4.3"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

Resources:
  ReplicationInstance:
    Type: "AWS::DMS::ReplicationInstance"
    Properties:
      ReplicationInstanceIdentifier: my-replication-instance
      ReplicationInstanceClass: dms.r5.large
      AllocatedStorage: 100
      EngineVersion: "3.4.3"
      PubliclyAccessible: false