🛡️ AWS DMS Endpoint doesn't use SSL🟢

Contextual name: 🛡️ Endpoint doesn't use SSL🟢
ID: /ce/ca/aws/dms/endpoint-ssl
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS DMS Endpoint
- 🔌 AWS DMS Endpoint - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [DMS.9] DMS endpoints should use SSL
Internal: dec-x-a4e03389

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a4e03389	1

Description

Open File

Description

Ensure that all applicable AWS DMS endpoints are configured to use Secure Sockets Layer (SSL) to encrypt data in transit. AWS DMS establishes connections to your source and target data stores using these endpoints.

Supported SSL modes:

require – Encrypts the connection using SSL/TLS without certificate authority (CA) verification. Provides baseline encryption with minimal configuration.

verify-ca – Encrypts the connection and verifies the server’s certificate against a trusted CA. Enhances authenticity by validating the certificate chain.

verify-full – Encrypts the connection, validates the server’s certificate, and ensures the certificate’s hostname matches the endpoint’s configured hostname. Offers the highest level of trust and integrity.

Not all SSL modes work with all database endpoints. The following table shows which SSL modes are supported for each database engine.

DB engine none require verify-ca verify-full
MySQL/MariaDB/Amazon Aurora MySQL Default Not supported Supported Supported

... see more

DB engine	none	require	verify-ca	verify-full
`MySQL/MariaDB/Amazon Aurora MySQL`	Default	Not supported	Supported	Supported

Remediation

Open File

Remediation

From Command Line

Import the CA Certificate into DMS

If you do not yet have your CA certificate registered with DMS, import it first:
aws dms import-certificate \
    --certificate-identifier {{cert-identifier}} \
    --certificate-pem file://{{path-to-cert}}.pem
Sample output:
{
  "Certificate": {
    "CertificateIdentifier": "{{cert-identifier}}",
    "CertificateCreationDate": "2025-07-11T18:00:00Z",
    "CertificateArn": "{{cert-arn}}"
  }
}
Note the {{cert-arn}} for use in the next step.

Enable SSL on the Endpoint
aws dms modify-endpoint \
    --endpoint-arn {{endpoint-arn}} \
    --ssl-mode require \
    --certificate-arn {{cert-arn}}
--ssl-mode: Choose one of require, verify-ca, or verify-full according to your security requirements.

Test the Endpoint Connection
aws dms test-connection \
    --replication-instance-arn {{replication-instance-arn}} \
    --endpoint-arn {{endpoint-arn}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.9] DMS endpoints should use SSL		1	1	no data
💼 Cloudaware Framework → 💼 Data Encryption			66	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	95	no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			41	no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	23	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	22	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	40	no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	19	no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		23	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			22	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		79	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			41	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		23	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			22	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			19	no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		5	5	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	15	no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44	no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27	no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			162	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			81	no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			173	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			149	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			169	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			112	no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-13 CRYPTOGRAPHIC PROTECTION	4	2	2	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	110	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			41	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		29	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		13	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			12	no data
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16	no data
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	10	no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	27	no data
💼 PCI DSS v3.2.1 → 💼 4.2 Never send unprotected PANs by enduser messaging technologies.			4	no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16	no data
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			10	no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		27	no data
💼 PCI DSS v4.0.1 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.			4	no data
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16	no data
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	10	no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	27	no data
💼 PCI DSS v4.0 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.		3	4	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Remediation​

Remediation​

From Command Line​

Import the CA Certificate into DMS​

Enable SSL on the Endpoint​

Test the Endpoint Connection​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Remediation

Remediation

From Command Line

Import the CA Certificate into DMS

Enable SSL on the Endpoint

Test the Endpoint Connection

policy.yaml

Linked Framework Sections