Amazon DMS Replication Instance Is Publicly Accessible
- Query id: 030d3b18-1821-45b4-9e08-50efbe7becbb
- Query name: Amazon DMS Replication Instance Is Publicly Accessible
- Platform: Terraform
- Severity: Critical
- Category: Access Control
- URL: Github
Description¶
Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_dms_replication_instance" "test" {
allocated_storage = 20
apply_immediately = true
auto_minor_version_upgrade = true
availability_zone = "us-west-2c"
engine_version = "3.1.4"
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
multi_az = false
preferred_maintenance_window = "sun:10:30-sun:14:30"
publicly_accessible = true
replication_instance_class = "dms.t2.micro"
replication_instance_id = "test-dms-replication-instance-tf"
replication_subnet_group_id = aws_dms_replication_subnet_group.test-dms-replication-subnet-group-tf.id
vpc_security_group_ids = [
"sg-12345678",
]
depends_on = [
aws_iam_role_policy_attachment.dms-access-for-endpoint-AmazonDMSRedshiftS3Role,
aws_iam_role_policy_attachment.dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole,
aws_iam_role_policy_attachment.dms-vpc-role-AmazonDMSVPCManagementRole
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_dms_replication_instance" "test" {
allocated_storage = 20
apply_immediately = true
auto_minor_version_upgrade = true
availability_zone = "us-west-2c"
engine_version = "3.1.4"
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
multi_az = false
preferred_maintenance_window = "sun:10:30-sun:14:30"
replication_instance_class = "dms.t2.micro"
replication_instance_id = "test-dms-replication-instance-tf"
replication_subnet_group_id = aws_dms_replication_subnet_group.test-dms-replication-subnet-group-tf.id
vpc_security_group_ids = [
"sg-12345678",
]
depends_on = [
aws_iam_role_policy_attachment.dms-access-for-endpoint-AmazonDMSRedshiftS3Role,
aws_iam_role_policy_attachment.dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole,
aws_iam_role_policy_attachment.dms-vpc-role-AmazonDMSVPCManagementRole
]
}
Negative test num. 2 - tf file
resource "aws_dms_replication_instance" "test" {
allocated_storage = 20
apply_immediately = true
auto_minor_version_upgrade = true
availability_zone = "us-west-2c"
engine_version = "3.1.4"
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
multi_az = false
publicly_accessible = false
preferred_maintenance_window = "sun:10:30-sun:14:30"
replication_instance_class = "dms.t2.micro"
replication_instance_id = "test-dms-replication-instance-tf"
replication_subnet_group_id = aws_dms_replication_subnet_group.test-dms-replication-subnet-group-tf.id
vpc_security_group_ids = [
"sg-12345678",
]
depends_on = [
aws_iam_role_policy_attachment.dms-access-for-endpoint-AmazonDMSRedshiftS3Role,
aws_iam_role_policy_attachment.dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole,
aws_iam_role_policy_attachment.dms-vpc-role-AmazonDMSVPCManagementRole
]
}