Profile Applicability

  • Level 2

Description

Enabling SSL (Secure Sockets Layer) mode for AWS Database Migration Service (DMS) endpoints ensures that all data transferred between DMS and the database endpoint is encrypted in transit. This prevents unauthorized access and mitigates the risk of data interception or tampering during the migration process.

Rationale

  • Enhanced Security: Encrypts data in transit between DMS and the database endpoint.

  • Risk Mitigation: Reduces the risk of data breaches or man-in-the-middle attacks.

  • Compliance: Aligns with security standards and regulatory requirements for protecting sensitive data.

Impact

Pros:

  • Secures data transfer between the source and target database.

  • Prevents data interception and unauthorized access.

  • Improves compliance with industry standards like PCI DSS, HIPAA, or GDPR.

Cons:

  • Requires proper configuration and SSL/TLS certificates on the database endpoint.

  • May add minimal overhead due to encryption operations.

Default Value

By default, SSL mode may not be enabled in DMS endpoints. It must be explicitly configured during endpoint creation or modification.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeEndpoints

  • dms:ModifyEndpoint

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Endpoints.

  3. Select the database endpoint and review its configuration.

  4. Verify if SSL Mode is set to require or verify-ca.

Using AWS CLI:

  1. Describe the DMS endpoint:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=source,target

  2. Check the SslMode field in the output. Ensure it is set to require or verify-ca.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Endpoints.

  2. Select the endpoint to update.

  3. Click Edit and enable SSL Mode by setting it to require or verify-ca.

    • If verify-ca is used, ensure the SSL certificate is uploaded.

  4. Save the changes.

Using AWS CLI:

  1. Modify the DMS endpoint to enable SSL mode:

    aws dms modify-endpoint \
--endpoint-arn <endpoint-arn> \
--ssl-mode require \
--certificate-arn <certificate-arn> # If using `verify-ca`

  1. Verify the updated configuration:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=source,target

Backout Plan

Using AWS Console:

  1. If enabling SSL causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the DMS endpoint, and go to the Modify Endpoint settings.

  3. Disable SSL by selecting None in the SSL Mode dropdown.

  4. Save the changes and verify that the endpoint is now operating without SSL.

Using AWS CLI:

  1. To disable SSL mode, run:

    aws dms modify-endpoint --endpoint-arn <ENDPOINT_ARN> --ssl-mode "none"

  2. Verify that SSL has been disabled:

    aws dms describe-endpoints --endpoint-arn <ENDPOINT_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

13.1

Ensure Security of Sensitive Information in Transit – Use encryption to protect sensitive information.

v8

13.3

Establish and Enforce Security Baselines – Ensure all connections follow encryption standards.