lacework-global-369

Database Migration Service (DMS) replication instances should not be public (Automated)

Description

This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that is inaccessible outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. It is also necessary to connect the network to the replication instance's Virtual Private Cloud (VPC) using a Virtual Private Network (VPN), AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see Public and private replication instances in the AWS Database Migration Service User Guide: https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html#CHAP_ReplicationInstance.PublicPrivate.

Ensure to limit access to the AWS DMS instance configuration to only authorized users. To do this, restrict users' Identity and Access Management (IAM) permissions to modify AWS DMS settings and resources.

Remediation

It is not possible to change the public access setting for a DMS replication instance after creation.

To change the public access setting, delete the current instance and recreate it within the publicly accessible option enabled.

References

https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-1
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html#CHAP_ReplicationInstance.PublicPrivate

Database Migration Service (DMS) replication instances should not be public (Automated)​

Description​

Remediation​

References​

Database Migration Service (DMS) replication instances should not be public (Automated)

Description

Remediation

References