prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

Add new check `dms_endpoint_use_ssl`

Open puchy22 opened this issue 5 months ago • 0 comments

New feature motivation

SSL/TLS connections provide encryption for data in transit between DMS replication instances and your databases. This ensures that the data is protected from eavesdropping and tampering during migration. Enabling SSL also includes certificate validation, which verifies that connections are made to the intended database instance by checking its server certificate.

Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-9

Solution Proposed

Create a new check to ensure that DMS endpoints is using SSL. Things to add:

  • Add endpoints dictionary with all endpoints extracted from describe_endpoints. The key of dict must be the endpoint ARN.
  • Add check logic to verify that endpoint's SslMode is not 'none'. Ref
  • Add unit tests to ensure the check is working as expected. Cases recommended: no endpoints, endpoint without SSL active, endpoint with SSL required, endpoint with SSL in other modes. Ref

Describe alternatives you've considered

No alternative.

Additional context

No response

puchy22 avatar Aug 28 '24 08:08 puchy22