turbot/steampipe-mod-aws-compliance

Control: 12 DMS endpoints for Redis OSS should have TLS enabled

Description

This control checks whether an AWS DMS endpoint for Redis OSS is configured with a TLS connection. The control fails if the endpoint doesn't have TLS enabled.

TLS provides end-to-end security when data is sent between applications or databases over the internet. When you configure SSL encryption for your DMS endpoint, it enables encrypted communication between the source and target databases during the migration process. This helps prevent eavesdropping and interception of sensitive data by malicious actors. Without SSL encryption, sensitive data may be accessed, resulting in data breaches, data loss, or other security incidents.

Remediation

To enable a TLS connection on DMS endpoints for Redis, see Using Redis as a target for AWS Database Migration Service in the AWS Database Migration Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_dms_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_dms_12 --share

SQL

This control uses a named query:

select
arn as resource,
case
when endpoint_type <> 'TARGET' then 'skip'
when redis_settings is null then 'skip'
when (redis_settings ->> 'SslCaCertificateArn') is not null then 'ok'
else 'alarm'
end as status,
case
when endpoint_type <> 'TARGET' then title || ' endpoint is not of target type.'
when redis_settings is null then title || ' endpoint is not of redis engine type.'
when (redis_settings ->> 'SslCaCertificateArn') is not null then title || ' TLS/SSL enabled for redis data stores.'
else title || ' TLS/SSL disabled for redis data stores.'
end as reason
, region, account_id
from
aws_dms_endpoint;

Tags