AWS Database Migration Service controls
These controls are related to AWS DMS resources.
[DMS.1] Database Migration Service replication instances should not be public
Related requirements: PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/1.3.2,PCI DSS v3.2.1/1.3.6, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type:
AWS::DMS::ReplicationInstance
AWS Config rule:
dms-replication-not-public
Schedule type: Periodic
Parameters: None
This control checks whether AWS DMS replication instances are public. To do this, it examines
the value of the PubliclyAccessible
field.
A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see Public and private replication instances in the AWS Database Migration Service User Guide.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.
This control isn't supported in the following Regions:
-
Africa (Cape Town)
-
Asia Pacific (Hyderabad)
-
Europe (Milan)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
Remediation
Note that you cannot change the public access setting once a replication instance is created. It must be deleted and recreated.
To configure the AWS DMS replication instances setting to block public access
-
Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/
. -
Navigate to Replication instances, then delete the public instance. Choose the instance, choose Actions, then choose delete.
-
Choose Create replication instance. Provide the configuration details.
-
To disable public access, make sure that Publicly accessible is not selected.
-
Choose Create.
For more information, see the section on Creating a replication instance in the AWS Database Migration Service User Guide.