Remediation
You cannot modify the PubliclyAccessible attribute of an existing DMS replication instance inβplace, you must delete the incompliant instance and recreate it with the correct setting.
From Command Lineβ
Export the existing instance configurationβ
aws dms describe-replication-instances \
--filters Name=replication-instance-arn,Values={{current-instance-arn}} \
--output json > describe.json
Generate a CLI payload with PubliclyAccessible: falseβ
Use jq to extract all mutable parameters, override the publicβaccess flag, and produce a JSON file for creation:
jq '
.ReplicationInstances[0]
| {
ReplicationInstanceIdentifier,
ReplicationInstanceClass,
PubliclyAccessible: false, # enforce private-only access
AllocatedStorage,
EngineVersion,
ReplicationSubnetGroupIdentifier,
VpcSecurityGroupIds,
MultiAZ,
AutoMinorVersionUpgrade,
PreferredMaintenanceWindow
}
' describe.json > create-instance.json
Alternatively, generate a CloudFormation templateβ
jq '
{
AWSTemplateFormatVersion: "2010-09-09",
Description: "Imported DMS instance (public access disabled)",
Resources: {
ImportedDMSInstance: {
Type: "AWS::DMS::ReplicationInstance",
Properties: {
.ReplicationInstances[0]
| {
ReplicationInstanceIdentifier,
ReplicationInstanceClass,
PubliclyAccessible: false,
AllocatedStorage,
EngineVersion,
ReplicationSubnetGroupIdentifier,
VpcSecurityGroupIds,
MultiAZ,
KmsKeyId
}
}
}
}
}
' describe.json > cf_template.json
Note: Adjust the list inside | { β¦ } to include any other mutable fields you need. Leave out ReplicationInstanceArn, Status, EndpointArn and other readβonly attributes.
Provision the new replication instanceβ
aws dms create-replication-instance \
--cli-input-json file://{{create-instance}}.json
This will spin up a new DMS replication instance that mirrors the original configuration, except with public accessibility disabled.
Delete the incompliant instanceβ
aws dms delete-replication-instance \
--replication-instance-arn {{current-instance-arn}}