Control: 1 AWS Database Migration Service replication instances should not be public
This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field.
A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users’ IAM permissions to modify AWS DMS settings and resources.
Note that you cannot change the public access setting once a replication instance is created. It must be deleted and recreated.
To configure the AWS DMS replication instances setting to be not publicly accessible
- Open the AWS Database Migration Service console.
- In the left navigation pane, under
Resource management
, navigate toReplication instances
. - To delete the public instance, select the check box for the instance, choose Actions, then choose delete.
- Choose Create replication instance. Provide the configuration details.
- To disable public access, make sure that Publicly accessible is not selected.
- Choose Create.
For more information, see the section on Creating a replication instance in the AWS Database Migration Service User Guide.
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_dms_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_dms_1 --share
This control uses a named query:
select arn as resource, case when publicly_accessible then 'alarm' else 'ok' end as status, case when publicly_accessible then title || ' publicly accessible.' else title || ' not publicly accessible.' end as reason , region, account_idfrom aws_dms_replication_instance;