Profile Applicability

  • Level 2

Description

Publicly accessible DMS replication instances can expose your data to unauthorized access over the internet, posing significant security risks. By disabling public accessibility, you can restrict access to the instances and ensure they are reachable only from within a secure network, such as a Virtual Private Cloud (VPC).

Rationale

  • Enhanced Security: Prevents unauthorized access to DMS instances from the internet.

  • Risk Mitigation: Reduces the risk of data exposure or compromise.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Ensures that DMS instances are accessible only from trusted private networks.

  • Reduces the attack surface for data migration processes.

  • Improves compliance with security and governance frameworks.

Cons:

  • May require additional configuration for private network access or VPNs.

  • Restricts convenience for users needing direct internet access.

Default Value

By default, DMS replication instances are publicly accessible. You must explicitly disable this option during instance creation or modification.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeReplicationInstances

  • dms:ModifyReplicationInstance

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Replication Instances.

  3. For each replication instance, check the Publicly Accessible field under the instance's configuration. Ensure it is set to No.

Using AWS CLI:

  1. Describe the replication instance:

    aws dms describe-replication-instances --filters Name=replication-instance-id,Values=<instance-id>

  2. Check the PubliclyAccessible field in the output. Ensure it is set to false.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Replication Instances.

  2. Select the replication instance to update.

  3. Click Modify and set Publicly Accessible to No.

  4. Save the changes.

Using AWS CLI:

  1. Disable public accessibility for the replication instance:

    aws dms modify-replication-instance \
--replication-instance-arn <instance-arn> \
--no-publicly-accessible

  1. Verify the updated configuration:

    aws dms describe-replication-instances --filters Name=replication-instance-id,Values=<instance-id>

Backout Plan

Using AWS Console:

  1. If making the DMS instance non-public causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the replication instance, and go to the Modify settings.

  3. Set Publicly Accessible back to Yes and save the changes.

  4. Verify that the DMS instance is once again publicly accessible if needed.

Using AWS CLI:

  1. If you need to re-enable public access, run:

    aws dms modify-replication-instance --replication-instance-arn <REPLICATION_INSTANCE_ARN> --publicly-accessible true

  2. Verify the changes by retrieving the instance details:

    aws dms describe-replication-instances --replication-instance-arn <REPLICATION_INSTANCE_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.