Ensure DMS replication instance is not publicly accessible

ID

dms_replication_instance_public_access

Severity

critical

Vendor

AWS

Resource

DMS Replication Instance

Tags

reachable

Description

AWS Database Migration Service (DMS) helps to migrate databases to AWS easily and securely while the source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.

An AWS DMS replication instance can have one public IP address and one private IP address, just like an Amazon Elastic Compute Cloud (Amazon EC2) instance that has a public IP address.

If you uncheck (disable) the box for Publicly accessible, then the replication instance has only a private IP address. As a result, the replication instance can communicate with a host that is in the same Amazon Virtual Private Cloud (Amazon VPC) and that can communicate with the private IP address. Or the replication instance can communicate with a host that is connected privately.

Keeping DMS confined into the VPC is the preferable option from a security perspective.

Learn more about this topic at How can I disable public access for an AWS DMS replication DB instance?.

Examples

CloudFormation

{
  "Resources": {
    "Resource0": {
      "Type": "AWS::DMS::ReplicationInstance",
      "Properties": {
        "PubliclyAccessible": true, (1)
        "ReplicationInstanceClass": "dms.c4.large"
      }
    }
  }
}
1 PubliclyAccessible set to true means it is publicly accessible. 
Resources:
  Resource0:
    Type: AWS::DMS::ReplicationInstance
    Properties:
      PubliclyAccessible: true (1)
      ReplicationInstanceClass: dms.c4.large
1 PubliclyAccessible set to true means it is publicly accessible.

Terraform

resource "aws_dms_replication_instance" {
  engine_version          = "3.1.4"
  multi_az                = false
  publicly_accessible     = true (1)
}
1 The publicly_accesible attribute is set to `true`means it is publicly accessible.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Resource0": {
      "Type": "AWS::DMS::ReplicationInstance",
      "Properties": {
        "PubliclyAccessible": false, (1)
        "ReplicationInstanceClass": "dms.c4.large"
      }
    }
  }
}
1 PubliclyAccessible set to false means it is not publicly accessible. 
Resources:
  Resource0:
    Type: AWS::DMS::ReplicationInstance
    Properties:
      PubliclyAccessible: False (1)
      ReplicationInstanceClass: dms.c4.large
1 PubliclyAccessible set to false means it is not publicly accessible.

Terraform

resource "aws_dms_replication_instance" {
  engine_version               = "3.1.4"
  multi_az                     = false
  publicly_accessible          = false (1)
}
1 Ensure the publicly_accesible attribute is set to false (The default option is also false)