Profile Applicability

  • Level 2

Description

Encryption in transit ensures that data moving between AWS Database Migration Service (DMS) and Redis OSS endpoints is protected from unauthorized access. By enabling Secure Socket Layer (SSL) or Transport Layer Security (TLS), you can secure the communication channel and safeguard sensitive data during migration tasks.

Rationale

  • Enhanced Security: Protects data from interception and unauthorized access during transit.

  • Compliance: Aligns with security best practices and regulatory requirements.

  • Risk Mitigation: Reduces the risk of data breaches and man-in-the-middle attacks.

Impact

Pros:

  • Ensures secure communication between DMS and Redis OSS endpoints.

  • Reduces the risk of data interception and tampering.

  • Enhances overall security posture.

Cons:

  • May require additional configuration for SSL/TLS certificates.

  • Could introduce slight performance overhead due to encryption.

Default Value

By default, encryption in transit is not enabled for Redis OSS endpoints. It must be explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeEndpoints

  • dms:ModifyEndpoint

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Endpoints.

  3. Select the Redis OSS endpoint and review its configuration.

  4. Verify if SSL/TLS is enabled under the Encryption in Transit section.

Using AWS CLI:

  1. Describe the DMS endpoint:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=source,target

  2. Check the SslMode field in the output. Ensure it is set to require.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Endpoints.

  2. Select the Redis OSS endpoint to update.

  3. Edit the endpoint configuration and enable Encryption in Transit by setting the SSL mode to require.

  4. Save the changes.

Using AWS CLI:

  1. Modify the DMS endpoint to enable encryption in transit:

    aws dms modify-endpoint \
--endpoint-arn <endpoint-arn> \
--ssl-mode require \
--certificate-arn <certificate-arn> # Optional if using custom certificates

  1. Verify the updated configuration:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=source,target

Backout Plan

Using AWS Console:

  1. If enabling encryption in transit causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the Redis OSS endpoint, and go to the Modify Endpoint settings.

  3. Disable Encryption in transit by selecting None for the encryption option.

  4. Save the changes and verify that the endpoint is now functioning without encryption.

Using AWS CLI:

  1. To disable Encryption in transit, run the following command:\

    aws dms modify-endpoint --endpoint-arn <ENDPOINT_ARN> --ssl-mode none

  2. Verify that encryption has been disabled by running:

    aws dms describe-endpoints --endpoint-arn <ENDPOINT_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.