📝 AWS DMS Endpoint doesn't use SSL 🟢

• Contextual name: 📝 Endpoint doesn't use SSL 🟢
• ID: /ce/ca/aws/dms/endpoint-ssl
• Located in: 📁 AWS DMS

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• AWS Security Hub
  • [[DMS.9] DMS endpoints should use SSL]([DMS.9] DMS endpoints should use SSL (https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-9)]
• Internal
  • dec-x-a4e03389

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a4e03389	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 AWS DMS Endpoint
  • 🔌 AWS DMS Endpoint - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that all applicable AWS DMS endpoints are configured to use Secure Sockets Layer (SSL) to encrypt data in transit. AWS DMS establishes connections to your source and target data stores using these endpoints.

Supported SSL modes:

• require – Encrypts the connection using SSL/TLS without certificate authority (CA) verification. Provides baseline encryption with minimal configuration.

• verify-ca – Encrypts the connection and verifies the server’s certificate against a trusted CA. Enhances authenticity by validating the certificate chain.

• verify-full – Encrypts the connection, validates the server’s certificate, and ensures the certificate’s hostname matches the endpoint’s configured hostname. Offers the highest level of trust and integrity.

Not all SSL modes work with all database endpoints. The following table shows which SSL modes are supported for each database engine.

DB engine	none	require	verify-ca	verify-full
MySQL/MariaDB/Amazon Aurora MySQL	Default	Not supported	Supported	Supported

... see more

Remediation

Open File

Remediation

From Command Line

Import the CA Certificate into DMS

If you do not yet have your CA certificate registered with DMS, import it first:

aws dms import-certificate \
    --certificate-identifier {{cert-identifier}} \
    --certificate-pem file://{{path-to-cert}}.pem

Sample output:

{
  "Certificate": {
    "CertificateIdentifier": "{{cert-identifier}}",
    "CertificateCreationDate": "2025-07-11T18:00:00Z",
    "CertificateArn": "{{cert-arn}}"
  }
}

Note the {{cert-arn}} for use in the next step.

Enable SSL on the Endpoint

aws dms modify-endpoint \
    --endpoint-arn {{endpoint-arn}} \
    --ssl-mode require \
    --certificate-arn {{cert-arn}}

--ssl-mode: Choose one of require, verify-ca, or verify-full according to your security requirements.

Test the Endpoint Connection

aws dms test-connection \
    --replication-instance-arn {{replication-instance-arn}} \
    --endpoint-arn {{endpoint-arn}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.9] DMS endpoints should use SSL		1	1
💼 Cloudaware Framework → 💼 Data Encryption			42
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	36	75
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			25
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	17
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	16
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	24
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	13
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		17
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		60
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			25
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		17
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			13
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		5	5
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	14
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	22
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	31
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	26
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	22
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			134
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			45
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			22
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			114
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			94
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			66
💼 NIST SP 800-53 Revision 4 → 💼 SC-13 CRYPTOGRAPHIC PROTECTION	4	2	2
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	85
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			25
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	16
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	15
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			7
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		13
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		7
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			6
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	8
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	21
💼 PCI DSS v3.2.1 → 💼 4.2 Never send unprotected PANs by enduser messaging technologies.			4
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			8
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		21
💼 PCI DSS v4.0.1 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.			4
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	8
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	21
💼 PCI DSS v4.0 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.		3	4