Ensure AWS Database Migration Service endpoints have SSL configured
Error: AWS route table with VPC peering overly permissive to all traffic
Bridgecrew Policy ID: BC_AWS_NETWORKING_81
Checkov Check ID: CKV2_AWS_49
Severity: HIGH
AWS Database Migration Service endpoint do not have SSL configured
Description
This policy identifies Database Migration Service (DMS) endpoints that are not configured with SSL to encrypt connections for source and target endpoints. It is recommended to use SSL connection for source and target endpoints; enforcing SSL connections help protect against 'man in the middle' attacks by encrypting the data stream between endpoint connections.\n\nNOTE: Not all databases use SSL in the same way. An Amazon Redshift endpoint already uses an SSL connection and does not require an SSL connection set up by AWS DMS. So there are some exlcusions included in policy RQL to report only those endpoints which can be configured using DMS SSL feature. \n\nFor more details:\nhttps://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.SSL
Fix - Buildtime
Terraform
resource "aws_dms_endpoint" "pass_source_1" {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
database_name = "test"
endpoint_id = "test-dms-endpoint-tf"
endpoint_type = "source"
engine_name = "aurora"
extra_connection_attributes = ""
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
password = "test"
port = 3306
server_name = "test"
ssl_mode = "require"
username = "test"
}
Updated 11 months ago