Ensure that your Amazon Database Migration Service (DMS) are not publicly accessible from the Internet in order to avoid exposing private data and minimize security risks. A DMS replication instance should have a private IP address and the Publicly Accessible feature disabled when both the source and the target databases are in the same network that is connected to the instance's VPC through a VPN, VPC peering connection, or using an AWS Direct Connect dedicated connection.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When your AWS DMS replication instances are publicly accessible and have public IP addresses, any machine outside the VPC can establish a connection to these instances, increasing the attack surface and the opportunity for malicious activity. Of course, the level of access to your replication instances depends on their use cases, however, for most use cases the instances should be privately accessible only from within your Amazon Virtual Private Cloud (VPC).
Audit
To determine if your DMS replication instances are publicly accessible, perform the following actions:
Remediation / Resolution
To disable public accessibility for your Amazon DMS replication instances, you must re-create these instances with the necessary configuration in order to be reachable only within your VPC network. To relaunch and configure your AWS DMS replication instances, perform the following actions:
References
- AWS Documentation
- AWS Database Migration Service FAQs
- How AWS Database Migration Service Works
- Working with an AWS DMS Replication Instance
- AWS Command Line Interface (CLI) Documentation
- dms
- describe-replication-instances
- create-replication-instance
- delete-replication-instance
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Publicly Accessible DMS Replication Instances
Risk level: High