Ensure DMS replication instance is not publicly accessible

Error: DMS replication instance should be publicly accessible

Bridgecrew Policy ID: BC_AWS_PUBLIC_13
Checkov Check ID: CKV_AWS_89
Severity: HIGH

DMS replication instance should be publicly accessible

Description

AWS Database Migration Service (AWS DMS) is a service for migrating relational databases, data warehouses, NoSQL databases and other data stores. DMS can be used to migrate data into the AWS Cloud, between on-premises instances, or between combinations of cloud and on-premises environments.
An AWS DMS replication instance can have one public IP address and one private IP address, just like an Amazon Elastic Compute Cloud (Amazon EC2) instance that has a public IP address. If you uncheck (disable) the box for Publicly accessible, then the replication instance has only a private IP address.

Fix - Buildtime

Terraform

  • Resource: aws_dms_replication_instance
  • Argument: publicly_accessible - (Optional, Default: false) Specifies the accessibility options for the replication instance. A value of true represents an instance with a public IP address. A value of false represents an instance with a private IP address.
resource "aws_dms_replication_instance" "test" {
  ...
  allocated_storage            = 20
+ publicly_accessible          = false
}

CloudFormation

  • Resource: AWS::DMS::ReplicationInstance
  • Argument: Properties.PubliclyAccessible - (Optional, Default: false) Specifies the accessibility options for the replication instance. A value of true represents an instance with a public IP address. A value of false represents an instance with a private IP address.
Resources:
  ReplicationInstance:
    Type: AWS::DMS::ReplicationInstance
    Properties: 
    	...
+     PubliclyAccessible: False