Ensure that your Amazon Database Migration Service (DMS) are not publicly accessible from the Internet in order to avoid exposing private data and minimize security risks. A DMS replication instance should have a private IP address and the Publicly Accessible feature disabled when both the source and the target databases are in the same network that is connected to the instance's VPC through a VPN, VPC peering connection, or using an AWS Direct Connect dedicated connection.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When your AWS DMS replication instances are publicly accessible and have public IP addresses, any machine outside the VPC can establish a connection to these instances, increasing the attack surface and the opportunity for malicious activity. Of course, the level of access to your replication instances depends on their use cases, however, for most use cases the instances should be privately accessible only from within your Amazon Virtual Private Cloud (VPC).
To determine if your DMS replication instances are publicly accessible, perform the following actions:
To disable public accessibility for your Amazon DMS replication instances, you must re-create these instances with the necessary configuration in order to be reachable only within your VPC network. To relaunch and configure your AWS DMS replication instances, perform the following actions: