Open puchy22 opened 2 weeks ago
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.dms.dms_client import dms_client
class dms_endpoint_ssl_enabled(Check):
def execute(self):
findings = []
for endpoint_arn, endpoint in dms_client.endpoints.items():
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint_arn
report.resource_arn = endpoint_arn
report.region = endpoint.region
if endpoint.ssl_mode == 'none':
report.status = "FAIL"
report.status_extended = f"DMS Endpoint {endpoint_arn} is not using SSL."
else:
report.status = "PASS"
report.status_extended = f"DMS Endpoint {endpoint_arn} is using SSL with mode: {endpoint.ssl_mode}."
findings.append(report)
return findings
Hello @LefterisXefteris, do you want to tackle this issue? I can assign it to you if you want to start working on it.
Thank you for your interest!
Hello @jfagoagas i will happily handle this. thank you!
Hello!
I am currently testing the ssl_endpoint_enabled check. However, I encounter some problems with the dms_services class. I think I might need to add an endpoint class in there, inheriting from BaseModel, as well as a def __describe_endpoints__(self, regional_client): pass method in there. I might need some help implementing this. Would you be able to enlighten me with this method?
Thank you.
Sorry i accidentally type the un assign me button next to my name. could you please assign me again?
Hello!
I am currently testing the ssl_endpoint_enabled check. However, I encounter some problems with the dms_services class. I think I might need to add an endpoint class in there, inheriting from BaseModel, as well as a def describe_endpoints(self, regional_client): pass method in there. I might need some help implementing this. Would you be able to enlighten me with this method?
Thank you.
For sure, we can help you! Regarding the solution proposed, which parts did you manage to complete?
Did you check the referenced documentation, our developer guide should be sufficient but if not we can always jump into a call in the Prowler Community Slack. You can use the following link https://join.slack.com/t/prowler-workspace/shared_invite/zt-2luugg3ld-_MlE692tRwAZoMMrZ1sV7w to join if you are not there yet.
New feature motivation
SSL/TLS connections provide encryption for data in transit between DMS replication instances and your databases. This ensures that the data is protected from eavesdropping and tampering during migration. Enabling SSL also includes certificate validation, which verifies that connections are made to the intended database instance by checking its server certificate.
Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-9
Solution Proposed
Create a new check to ensure that DMS endpoints is using SSL. Things to add:
endpoints
dictionary with all endpoints extracted from describe_endpoints and test it. The key of dict must be the endpoint ARN.SslMode
is not 'none'. RefDescribe alternatives you've considered
No alternative.
Additional context
No response