Amazon DMS Replication Instance Is Publicly Accessible
- Query id: bccb296f-362c-4b05-9221-86d1437a1016
- Query name: Amazon DMS Replication Instance Is Publicly Accessible
- Platform: Pulumi
- Severity: Critical
- Category: Access Control
- URL: Github
Description¶
Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: aws-dms
runtime: yaml
description: amazon dms replication instance
resources:
dms-access-for-endpoint:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-access-for-endpoint-AmazonDMSRedshiftS3Role:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
role: ${["dms-access-for-endpoint"].name}
dms-cloudwatch-logs-role:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
role: ${["dms-cloudwatch-logs-role"].name}
dms-vpc-role:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-vpc-role-AmazonDMSVPCManagementRole:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
role: ${["dms-vpc-role"].name}
# Create a new replication instance
test:
type: aws:dms:ReplicationInstance
properties:
allocatedStorage: 20
applyImmediately: true
autoMinorVersionUpgrade: true
availabilityZone: us-west-2c
engineVersion: 3.1.4
kmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
multiAz: false
preferredMaintenanceWindow: sun:10:30-sun:14:30
publiclyAccessible: true
replicationInstanceClass: dms.t2.micro
replicationInstanceId: test-dms-replication-instance-tf
replicationSubnetGroupId: ${aws_dms_replication_subnet_group"test-dms-replication-subnet-group-tf"[%!s(MISSING)].id}
tags:
Name: test
vpcSecurityGroupIds:
- sg-12345678
options:
dependson:
- ${["dms-access-for-endpoint-AmazonDMSRedshiftS3Role"]}
- ${["dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole"]}
- ${["dms-vpc-role-AmazonDMSVPCManagementRole"]}
variables:
dmsAssumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- identifiers:
- dms.amazonaws.com
type: Service
Positive test num. 2 - yaml file
name: aws-dms
runtime: yaml
description: amazon dms replication instance
resources:
dms-access-for-endpoint:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-access-for-endpoint-AmazonDMSRedshiftS3Role:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
role: ${["dms-access-for-endpoint"].name}
dms-cloudwatch-logs-role:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
role: ${["dms-cloudwatch-logs-role"].name}
dms-vpc-role:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-vpc-role-AmazonDMSVPCManagementRole:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
role: ${["dms-vpc-role"].name}
# Create a new replication instance
test:
type: aws:dms:ReplicationInstance
properties:
allocatedStorage: 20
applyImmediately: true
autoMinorVersionUpgrade: true
availabilityZone: us-west-2c
engineVersion: 3.1.4
kmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
multiAz: false
preferredMaintenanceWindow: sun:10:30-sun:14:30
replicationInstanceClass: dms.t2.micro
replicationInstanceId: test-dms-replication-instance-tf
replicationSubnetGroupId: ${aws_dms_replication_subnet_group"test-dms-replication-subnet-group-tf"[%!s(MISSING)].id}
tags:
Name: test
vpcSecurityGroupIds:
- sg-12345678
options:
dependson:
- ${["dms-access-for-endpoint-AmazonDMSRedshiftS3Role"]}
- ${["dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole"]}
- ${["dms-vpc-role-AmazonDMSVPCManagementRole"]}
variables:
dmsAssumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- identifiers:
- dms.amazonaws.com
type: Service
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: aws-dms
runtime: yaml
description: amazon dms replication instance
resources:
dms-access-for-endpoint:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-access-for-endpoint-AmazonDMSRedshiftS3Role:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
role: ${["dms-access-for-endpoint"].name}
dms-cloudwatch-logs-role:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
role: ${["dms-cloudwatch-logs-role"].name}
dms-vpc-role:
type: aws:iam:Role
properties:
assumeRolePolicy: ${dmsAssumeRole.json}
dms-vpc-role-AmazonDMSVPCManagementRole:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
role: ${["dms-vpc-role"].name}
# Create a new replication instance
test:
type: aws:dms:ReplicationInstance
properties:
allocatedStorage: 20
applyImmediately: true
autoMinorVersionUpgrade: true
availabilityZone: us-west-2c
engineVersion: 3.1.4
kmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
multiAz: false
preferredMaintenanceWindow: sun:10:30-sun:14:30
publiclyAccessible: false
replicationInstanceClass: dms.t2.micro
replicationInstanceId: test-dms-replication-instance-tf
replicationSubnetGroupId: ${aws_dms_replication_subnet_group"test-dms-replication-subnet-group-tf"[%!s(MISSING)].id}
tags:
Name: test
vpcSecurityGroupIds:
- sg-12345678
options:
dependson:
- ${["dms-access-for-endpoint-AmazonDMSRedshiftS3Role"]}
- ${["dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole"]}
- ${["dms-vpc-role-AmazonDMSVPCManagementRole"]}
variables:
dmsAssumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- identifiers:
- dms.amazonaws.com
type: Service