Security in Amazon Database Migration Service - Amazon Database Migration Service
Setting an encryption keyNetwork securityChanging the database password
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security in Amazon Database Migration Service

Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that are built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between Amazon and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

  • Security of the cloud – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the Amazon compliance programs. To learn about the compliance programs that apply to Amazon DMS, see Amazon services in scope by compliance program.

  • Security in the cloud – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your organization's requirements, and applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using Amazon DMS. The following topics show you how to configure Amazon DMS to meet your security and compliance objectives. You also learn how to use other Amazon services that help you monitor and secure your Amazon DMS resources.

You can manage access to your Amazon DMS resources and your databases (DBs). The method you use to manage access depends on the replication task you need to perform with Amazon DMS:

  • Use Amazon Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage Amazon DMS resources. Amazon DMS requires that you have the appropriate permissions if you sign in as an IAM user. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances and clusters, tag resources, or modify security groups. For more information about IAM and using it with Amazon DMS, see Identity and access management for Amazon Database Migration Service.

  • Amazon DMS uses Secure Sockets Layer (SSL) for your endpoint connections with Transport Layer Security (TLS). For more information about using SSL/TLS with Amazon DMS, see Using SSL with Amazon Database Migration Service.

  • Amazon DMS uses Amazon Key Management Service (Amazon KMS) encryption keys to encrypt the storage used by your replication instance and its endpoint connection information. Amazon DMS also uses Amazon KMS encryption keys to secure your target data at rest for Amazon S3 and Amazon Redshift target endpoints. For more information, see Setting an encryption key and specifying Amazon KMS permissions.

  • Amazon DMS always creates your replication instance in a virtual private cloud (VPC) based on the Amazon VPC service for the greatest possible network access control. For your DB instances and instance clusters, use the same VPC as your replication instance, or additional VPCs to match this level of access control. Each Amazon VPC that you use must be associated with a security group that has rules that allow all traffic on all ports to leave (egress) the VPC. This approach allows communication from the replication instance to your source and target database endpoints, as long as correct ingress is enabled on those endpoints.

    For more information about available network configurations for Amazon DMS, see Setting up a network for a replication instance. For more information about creating a DB instance or instance cluster in a VPC, see the security and cluster management documentation for your Amazon databases at Amazon documentation. For more information about network configurations that Amazon DMS supports, see Setting up a network for a replication instance.

  • To view database migration logs, you need the appropriate Amazon CloudWatch Logs permissions for the IAM role you are using. For more information about logging for Amazon DMS, see Monitoring replication tasks using Amazon CloudWatch.

Topics

Setting an encryption key and specifying Amazon KMS permissions

Amazon DMS encrypts the storage used by a replication instance and the endpoint connection information. To encrypt the storage used by a replication instance, Amazon DMS uses an Amazon Key Management Service (Amazon KMS) key that is unique to your Amazon account. You can view and manage this key with Amazon KMS. You can use the default KMS key in your account (aws/dms) or you can create a custom KMS key. If you have an existing KMS key, you can also use that key for encryption.

Note

Any custom or existing Amazon KMS key that you use as an encryption key must be a symmetric key. Amazon DMS does not support the use of asymmetric encryption keys. For more information on symmetric and asymmetric encryption keys, see https://docs.amazonaws.cn/kms/latest/developerguide/symmetric-asymmetric.html in the Amazon Key Management Service Developer Guide.

The default KMS key (aws/dms) is created when you first launch a replication instance, if you haven't selected a custom KMS key from the Advanced section of the Create Replication Instance page. If you use the default KMS key, the only permissions you need to grant to the IAM user account you are using for migration are kms:ListAliases and kms:DescribeKey. For more information about using the default KMS key, see IAM permissions needed to use Amazon DMS.

To use a custom KMS key, assign permissions for the custom KMS key using one of the following options:

  • Add the IAM user account used for the migration as a key administrator or key user for the Amazon KMS custom key. Doing this ensures that necessary Amazon KMS permissions are granted to the IAM user account. This action is in addition to the IAM permissions that you grant to the IAM user account to use Amazon DMS. For more information about granting permissions to a key user, see Allows key users to use the KMS key in the Amazon Key Management Service Developer Guide.

  • If you don't want to add the IAM user account as a key administrator or key user for your custom KMS key, then add the following additional permissions to the IAM permissions that you must grant to the IAM user account to use Amazon DMS. 

    
{
            "Effect": "Allow",
            "Action": [
                "kms:ListAliases",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:Encrypt",
                "kms:ReEncrypt*"
            ],
            "Resource": "*"
        },

Amazon DMS also works with KMS key aliases. For more information about creating your own Amazon KMS keys and giving users access to a KMS key, see the Amazon KMS Developer Guide.

If you don't specify a KMS key identifier, then Amazon DMS uses your default encryption key. Amazon KMS creates the default encryption key for Amazon DMS for your Amazon account. Your Amazon account has a different default encryption key for each Amazon Region.

To manage the Amazon KMS keys used for encrypting your Amazon DMS resources, use the Amazon Key Management Service. Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using Amazon KMS, you can create encryption keys and define the policies that control how these keys can be used.

You can find Amazon KMS in the Amazon Web Services Management Console

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. Choose one of the following options to work with Amazon KMS keys:

    • To view the keys in your account that Amazon creates and manages for you, in the navigation pane, choose Amazon managed keys.

    • To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys.

Amazon KMS supports Amazon CloudTrail, so you can audit key usage to verify that keys are being used appropriately. Your Amazon KMS keys can be used in combination with Amazon DMS and supported Amazon services such as Amazon RDS, Amazon S3, Amazon Redshift, and Amazon EBS.

You can also create custom Amazon KMS keys specifically to encrypt target data for the following Amazon DMS endpoints:

After you have created your Amazon DMS resources with a KMS key, you can't change the encryption key for those resources. Make sure to determine your encryption key requirements before you create your Amazon DMS resources.

Network security for Amazon Database Migration Service

The security requirements for the network you create when using Amazon Database Migration Service depend on how you configure the network. The general rules for network security for Amazon DMS are as follows:

  • The replication instance must have access to the source and target endpoints. The security group for the replication instance must have network ACLs or rules that allow egress from the instance out on the database port to the database endpoints.

  • Database endpoints must include network ACLs and security group rules that allow incoming access from the replication instance. You can achieve this using the replication instance's security group, the private IP address, the public IP address, or the NAT gateway's public address, depending on your configuration.

  • If your network uses a VPN tunnel, the Amazon EC2 instance acting as the NAT gateway must use a security group that has rules that allow the replication instance to send traffic through it.

By default, the VPC security group used by the Amazon DMS replication instance has rules that allow egress to 0.0.0.0/0 on all ports. If you modify this security group or use your own security group, egress must, at a minimum, be permitted to the source and target endpoints on the respective database ports.

The network configurations that you can use for database migration each require specific security considerations:

  • Configuration with all database migration components in one VPC – The security group used by the endpoints must allow ingress on the database port from the replication instance. Ensure that the security group used by the replication instance has ingress to the endpoints, or you can create a rule in the security group used by the endpoints that allows the private IP address of the replication instance access.

  • Configuration with multiple VPCs – The security group used by the replication instance must have a rule for the VPC range and the DB port on the database.

  • Configuration for a network to a VPC using Amazon Direct Connect or a VPN – a VPN tunnel allowing traffic to tunnel from the VPC into an on- premises VPN. In this configuration, the VPC includes a routing rule that sends traffic destined for a specific IP address or range to a host that can bridge traffic from the VPC into the on-premises VPN. If this case, the NAT host includes its own Security Group settings that must allow traffic from the Replication Instance's private IP address or security group into the NAT instance.

  • Configuration for a network to a VPC using the internet – The VPC security group must include routing rules that send traffic not destined for the VPC to the Internet gateway. In this configuration, the connection to the endpoint appears to come from the public IP address on the replication instance.

  • Configuration with an RDS DB instance not in a VPC to a DB instance in a VPC using ClassicLink – When the source or target Amazon RDS DB instance is not in a VPC and does not share a security group with the VPC where the replication instance is located, you can setup a proxy server and use ClassicLink to connect the source and target databases.

  • Source endpoint is outside the VPC used by the replication instance and uses a NAT gateway – You can configure a network address translation (NAT) gateway using a single Elastic IP address bound to a single Elastic network interface. This Elastic network interface then receives a NAT identifier (nat-#####). If the VPC includes a default route to that NAT gateway instead of the internet gateway, the replication instance instead appears to contact the database endpoint using the public IP address of the internet gateway. In this case, the ingress to the database endpoint outside the VPC needs to allow ingress from the NAT address instead of the replication instance's public IP address.

  • VPC endpoints for non-RDBMS engines – Amazon DMS doesn’t support VPC endpoints for non-RDBMS engines.

Changing the database password

In most situations, changing the database password for your source or target endpoint is straightforward. If you need to change the database password for an endpoint that you are currently using in a migration or replication task, the process needs a few additional steps. The procedure following shows how to do this.

To change the database password for an endpoint in a migration or replication task

  1. Sign in to the Amazon Web Services Management Console and open the Amazon DMS console at https://console.amazonaws.cn/dms/v2/.

    If you're signed in as an IAM user, make sure that you have the appropriate permissions to access Amazon DMS. For more information about the permissions required, see IAM permissions needed to use Amazon DMS.

  2. In the navigation pane, choose Database migration tasks.

  3. Choose the task that uses the endpoint you want to change the database password for, and then choose Stop.

  4. While the task is stopped, you can change the password of the database for the endpoint using the native tools you use to work with the database.

  5. Return to the DMS Management Console and choose Endpoints from the navigation pane.

  6. Choose the endpoint for the database you changed the password for, and then choose Modify.

  7. Type the new password in the Password box, and then choose Save.

  8. Choose Database migration tasks from the navigation pane.

  9. Choose the task that you stopped previously, and choose Restart/Resume.

  10. Choose either Restart or Resume, depending on how you want to continue the task, and then choose Start task.