📝 AWS DMS Replication Instance is publicly accessible 🟢

• Contextual name: 📝 Replication Instance is publicly accessible 🟢
• ID: /ce/ca/aws/dms/replication-instance-publicly-accessible
• Located in: 📁 AWS DMS

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• AWS Security Hub
  • [[DMS.1] Database Migration Service replication instances should not be public]([DMS.1] Database Migration Service replication instances should not be public (https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-1)]
• Internal
  • dec-x-e02b5fdd

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-e02b5fdd	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 AWS DMS Replication Instance
  • 🔌 AWS DMS Replication Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy checks that AWS Database Migration Service (DMS) Replication Instances are not public.

A DMS replication instance performs data migration between source and target databases.

Rationale

Public accessibility increases the attack surface and the likelihood of brute‑force or other intrusion attempts. Additionally, sensitive migration data could be intercepted if transmitted over the open internet.

To mitigate these risks, configure replication instances within private subnets and establish required connections using secure, private networking methods (e.g., VPC Peering, AWS Direct Connect, or VPN).

Audit

This policy marks an AWS DMS Replication Instance as INCOMPLIANT if the Publicly Accessible checkbox is set to true.

Remediation

Open File

Remediation

You cannot modify the PubliclyAccessible attribute of an existing DMS replication instance in‑place, you must delete the incompliant instance and recreate it with the correct setting.

From Command Line

Export the existing instance configuration

aws dms describe-replication-instances \
    --filters Name=replication-instance-arn,Values={{current-instance-arn}} \
    --output json > describe.json

Generate a CLI payload with PubliclyAccessible: false

Use jq to extract all mutable parameters, override the public‑access flag, and produce a JSON file for creation:

jq '
  .ReplicationInstances[0]
  | {
      ReplicationInstanceIdentifier,
      ReplicationInstanceClass,
      PubliclyAccessible: false,    # enforce private-only access
      AllocatedStorage,
      EngineVersion,
      ReplicationSubnetGroupIdentifier,
      VpcSecurityGroupIds,
      MultiAZ,
      AutoMinorVersionUpgrade,
      PreferredMaintenanceWindow
    }
' describe.json > create-instance.json

Alternatively, generate a CloudFormation template

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		28	30
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		34	37
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.1] Database Migration Service replication instances should not be public		1	1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			73
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	64
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	35	73
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	41
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	52
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			4
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	42
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			4
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			24
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			4
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			18
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			29
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		59
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			41
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		52
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			4
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		38
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			4
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			24
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		18	20
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		16	52
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		46	66
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			114
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			133
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			45
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			87
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			110
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			91
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			104
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			65
💼 NIST SP 800-53 Revision 4 → 💼 AC-2 (7) ROLE-BASED SCHEMES		2	2
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	33
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			10
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	66	83
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		36	41
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	45
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		4
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	3	44
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			4
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			24
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			11
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			18
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			19
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			4
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			18
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	28
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		5	13
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			13
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			5
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			13
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			5
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			28
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			28
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			13
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			5
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			28
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			28
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			13
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			5
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		35	38