🛡️ AWS DMS Replication Instance is publicly accessible🟢

Contextual name: 🛡️ Replication Instance is publicly accessible🟢
ID: /ce/ca/aws/dms/replication-instance-publicly-accessible
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS DMS Replication Instance
- 🔌 AWS DMS Replication Instance - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [DMS.1] Database Migration Service replication instances should not be public
Internal: dec-x-e02b5fdd

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-e02b5fdd	1

Description

Open File

Description

This policy checks that AWS Database Migration Service (DMS) Replication Instances are not publicly accessible.

A DMS replication instance performs data migration between source and target databases.

Rationale

Public accessibility increases the attack surface and the likelihood of brute force or other intrusion attempts. Additionally, sensitive migration data could be intercepted if transmitted over the open internet.

To mitigate these risks, configure replication instances within private subnets and establish required connections using secure, private networking methods (e.g., VPC Peering, AWS Direct Connect, or VPN).

Audit

This policy marks an AWS DMS Replication Instance as INCOMPLIANT if the Publicly Accessible checkbox is set to true.

Remediation

Open File

Remediation

You cannot modify the PubliclyAccessible attribute of an existing DMS replication instance in place. You must delete the incompliant instance and recreate it with the correct setting.

From Command Line

Export the existing instance configuration
aws dms describe-replication-instances \
    --filters Name=replication-instance-arn,Values={{current-instance-arn}} \
    --output json > describe.json
Generate a CLI payload with PubliclyAccessible: false

Use jq to extract all mutable parameters, override the public-access flag, and produce a JSON file for creation:
jq '
  .ReplicationInstances[0]
  | {
      ReplicationInstanceIdentifier,
      ReplicationInstanceClass,
      PubliclyAccessible: false,    # enforce private-only access
      AllocatedStorage,
      EngineVersion,
      ReplicationSubnetGroupIdentifier,
      VpcSecurityGroupIds,
      MultiAZ,
      AutoMinorVersionUpgrade,
      PreferredMaintenanceWindow
    }
' describe.json > create-instance.json
Alternatively, generate a CloudFormation template

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		29	30	no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.1] Database Migration Service replication instances should not be public		1	1	no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			116	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		19	20	no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-2 (7) ROLE-BASED SCHEMES		2	2	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37	no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	39	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	65	no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	8	42	no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	28	no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			28	no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			15	no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			28	no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			15	no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			34	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			65	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65	no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			19	no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			28	no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		24	34	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	65	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65	no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.		7	19	no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	28	no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

From Command Line​

Export the existing instance configuration​

Generate a CLI payload with PubliclyAccessible: false​

Alternatively, generate a CloudFormation template​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

Remediation

Remediation

From Command Line

Export the existing instance configuration

Generate a CLI payload with `PubliclyAccessible: false`

Alternatively, generate a CloudFormation template

policy.yaml

Linked Framework Sections