AWS Database Migration Service
  1. CNS Policies
  2. AWS Knowledge Base
  3. AWS Database Migration Service

DMS Instance Using Default KMS Key

This plugin ensures DMS encryption is not enabled using the default KMS key

Risk Level: Low

Description: 

This plugin ensures DMS encryption is not enabled using the default KMS key. The data transfer process in AWS Data Migration Service must be encrypted in order to secure the data flow. It is recommended to use customer-managed keys instead of default keys to have more flexibility.

About the Service :

AWS Database Migration Service (AWS DMS) enables you to rapidly and securely move databases to AWS. During the migration, the source database remains fully operational, reducing downtime to applications based on the database. The AWS Database Migration Service can move your data from and to the commercial and open source most often used databases.

Impact : 

AWS Customer managed keys provide better flexibility to increase encryption level and thus, deliver better security for the DMS instance. The default keys provide a minimal level of security.

Steps to reproduce :

  1. Log in to AWS Console.
  2. Navigate to the DMS i.e. Database Migration Service dashboard. You can use the link (https://us-east-2.console.aws.amazon.com/dms/ ) if already logged in.
  3. Select Replication Instances in the left navigation panel.
  4. Click on the instance that you want to examine by clicking on its Name.
  5. Move to the Overview Details tab.
  6. In the Advanced security and network configuration section, copy the KMS key arn.
  7. Move to the KMS management console and shift to AWS managed keys from the left navigation pane.
  8. In the filter keys search bar, paste the Key ARN copied before. Select the key ID that appears.
  9. If the description defines that the key is the default, the vulnerability exists.
  10. Repeat steps for other replication instances.

 

Steps for remediation :

Create a new DMS replication instance for all vulnerable instances and enable encryption using KMS CMKs.

  1. Log in to AWS Console.
  2. Navigate to the DMS i.e. Database Migration Service dashboard. You can use the link (https://us-east-2.console.aws.amazon.com/dms/ ) if already logged in.
  3. Select Replication Instances in the left navigation panel.
  4. Click on Create replication instance.
  5. Specify all the required details necessary. Expand the Advanced security and network configuration section and select Enter a key ARN in the KMS key section.
  6. Enter the CMK ARN and click on Create.
  7. Click on the instance vulnerable by clicking on the checkbox next to it.
  8. From the Action menu, click on Delete.
  9. Repeat steps for all the vulnerable replication instances.