Ensure public access is disabled for AWS Database Migration Service (DMS) instances

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

Public access to a DMS replication instance can be disabled by deleting the replication instance and then recreate it. Before you can delete a replication instance, you must delete all the tasks that use the replication instance. When creating the new instance ensure that the Publicly Accessible option is disabled.

In Terraform -

In the aws_dms_replication_instance, set the publicly_accessible field to false.

For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible

Policy Details

Rule Reference ID: AC_AWS_0068

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_dms_replication_instance

Resource Category: Database

Resource Type: Migration Service

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0