Amazon DMS Replication Instance Is Publicly Accessible

  • Query id: bccb296f-362c-4b05-9221-86d1437a1016
  • Query name: Amazon DMS Replication Instance Is Publicly Accessible
  • Platform: Pulumi
  • Severity: Critical
  • Category: Access Control
  • CWE: Ongoing
  • URL: Github

Description

Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
name: aws-dms
runtime: yaml
description: amazon dms replication instance
resources:
  dms-access-for-endpoint:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-access-for-endpoint-AmazonDMSRedshiftS3Role:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
      role: ${["dms-access-for-endpoint"].name}
  dms-cloudwatch-logs-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
      role: ${["dms-cloudwatch-logs-role"].name}
  dms-vpc-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-vpc-role-AmazonDMSVPCManagementRole:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
      role: ${["dms-vpc-role"].name}
  # Create a new replication instance
  test:
    type: aws:dms:ReplicationInstance
    properties:
      allocatedStorage: 20
      applyImmediately: true
      autoMinorVersionUpgrade: true
      availabilityZone: us-west-2c
      engineVersion: 3.1.4
      kmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
      multiAz: false
      preferredMaintenanceWindow: sun:10:30-sun:14:30
      publiclyAccessible: true
      replicationInstanceClass: dms.t2.micro
      replicationInstanceId: test-dms-replication-instance-tf
      replicationSubnetGroupId: ${aws_dms_replication_subnet_group"test-dms-replication-subnet-group-tf"[%!s(MISSING)].id}
      tags:
        Name: test
      vpcSecurityGroupIds:
        - sg-12345678
    options:
      dependson:
        - ${["dms-access-for-endpoint-AmazonDMSRedshiftS3Role"]}
        - ${["dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole"]}
        - ${["dms-vpc-role-AmazonDMSVPCManagementRole"]}
variables:
  dmsAssumeRole:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - actions:
              - sts:AssumeRole
            principals:
              - identifiers:
                  - dms.amazonaws.com
                type: Service
Positive test num. 2 - yaml file
name: aws-dms
runtime: yaml
description: amazon dms replication instance
resources:
  dms-access-for-endpoint:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-access-for-endpoint-AmazonDMSRedshiftS3Role:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
      role: ${["dms-access-for-endpoint"].name}
  dms-cloudwatch-logs-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
      role: ${["dms-cloudwatch-logs-role"].name}
  dms-vpc-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-vpc-role-AmazonDMSVPCManagementRole:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
      role: ${["dms-vpc-role"].name}
  # Create a new replication instance
  test:
    type: aws:dms:ReplicationInstance
    properties:
      allocatedStorage: 20
      applyImmediately: true
      autoMinorVersionUpgrade: true
      availabilityZone: us-west-2c
      engineVersion: 3.1.4
      kmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
      multiAz: false
      preferredMaintenanceWindow: sun:10:30-sun:14:30
      replicationInstanceClass: dms.t2.micro
      replicationInstanceId: test-dms-replication-instance-tf
      replicationSubnetGroupId: ${aws_dms_replication_subnet_group"test-dms-replication-subnet-group-tf"[%!s(MISSING)].id}
      tags:
        Name: test
      vpcSecurityGroupIds:
        - sg-12345678
    options:
      dependson:
        - ${["dms-access-for-endpoint-AmazonDMSRedshiftS3Role"]}
        - ${["dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole"]}
        - ${["dms-vpc-role-AmazonDMSVPCManagementRole"]}
variables:
  dmsAssumeRole:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - actions:
              - sts:AssumeRole
            principals:
              - identifiers:
                  - dms.amazonaws.com
                type: Service

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
name: aws-dms
runtime: yaml
description: amazon dms replication instance
resources:
  dms-access-for-endpoint:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-access-for-endpoint-AmazonDMSRedshiftS3Role:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
      role: ${["dms-access-for-endpoint"].name}
  dms-cloudwatch-logs-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
      role: ${["dms-cloudwatch-logs-role"].name}
  dms-vpc-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${dmsAssumeRole.json}
  dms-vpc-role-AmazonDMSVPCManagementRole:
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
      role: ${["dms-vpc-role"].name}
  # Create a new replication instance
  test:
    type: aws:dms:ReplicationInstance
    properties:
      allocatedStorage: 20
      applyImmediately: true
      autoMinorVersionUpgrade: true
      availabilityZone: us-west-2c
      engineVersion: 3.1.4
      kmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
      multiAz: false
      preferredMaintenanceWindow: sun:10:30-sun:14:30
      publiclyAccessible: false
      replicationInstanceClass: dms.t2.micro
      replicationInstanceId: test-dms-replication-instance-tf
      replicationSubnetGroupId: ${aws_dms_replication_subnet_group"test-dms-replication-subnet-group-tf"[%!s(MISSING)].id}
      tags:
        Name: test
      vpcSecurityGroupIds:
        - sg-12345678
    options:
      dependson:
        - ${["dms-access-for-endpoint-AmazonDMSRedshiftS3Role"]}
        - ${["dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole"]}
        - ${["dms-vpc-role-AmazonDMSVPCManagementRole"]}
variables:
  dmsAssumeRole:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - actions:
              - sts:AssumeRole
            principals:
              - identifiers:
                  - dms.amazonaws.com
                type: Service