AWS DMS – Consider Making Replication Instances Not Publicly Accessible

Database Migration Service (DMS) replication instances that are publicly accessible create unnecessary security risks and potential compliance violations. This FinOps policy ensures DMS replication instances are configured with private access only, reducing attack surface while maintaining operational functionality. When DMS instances are publicly accessible, they can be reached from the internet, creating opportunities for unauthorized access, data breaches, and exploitation of security vulnerabilities.

Why this policy matters

DMS replication instances handle sensitive database content during migration and replication processes. Making these instances publicly accessible violates the principle of least privilege and creates multiple security and cost-related risks that can impact your organization’s cloud spending and compliance posture.

Implementation Guide

Infrastructure-as-Code Example (Terraform)

# Violates policy - publicly accessible DMS replication instance
resource "aws_dms_replication_instance" "bad_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = true  # This violates the policy
  replication_instance_id     = "test-dms-replication-instance-tf"
 
  vpc_security_group_ids = [
    aws_security_group.dms_sg.id
  ]
}

# Complies with policy - private DMS replication instance
resource "aws_dms_replication_instance" "good_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = false  # Compliant configuration
  replication_instance_id     = "secure-dms-replication-instance"
 
  vpc_security_group_ids = [
    aws_security_group.dms_private_sg.id
  ]
 
  replication_subnet_group_id = aws_dms_replication_subnet_group.private.id
}

# Supporting private subnet configuration
resource "aws_dms_replication_subnet_group" "private" {
  replication_subnet_group_description = "Private subnet group for DMS"
  replication_subnet_group_id          = "dms-private-subnet-group"
 
  subnet_ids = [
    aws_subnet.private_subnet_1.id,
    aws_subnet.private_subnet_2.id
  ]
}

# Security group for private DMS instance
resource "aws_security_group" "dms_private_sg" {
  name_prefix = "dms-private-"
  vpc_id      = aws_vpc.main.id
 
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]  # Only allow VPC traffic
  }
 
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

The key difference is setting publicly_accessible = false and ensuring the DMS instance is deployed in private subnets with appropriate security group configurations. Infracost automatically detects when DMS instances are configured as publicly accessible and flags these as policy violations in cost estimates and pull request comments.

Manual Step-by-Step Instructions

Audit existing DMS instances using AWS CLI or console to identify publicly accessible instances
Create private subnet group if one doesn’t exist for your DMS instances
Update security groups to restrict access to internal networks only
Modify DMS replication instance to set publicly_accessible = false
Test connectivity from your application servers to ensure migration tasks continue working
Update connection strings in applications if necessary to use private endpoints
Verify compliance using AWS Config rules or third-party tools like Infracost

Best Practices

Use VPC endpoints for DMS service communications to keep traffic within AWS backbone
Implement least privilege access through security groups and NACLs
Enable VPC Flow Logs to monitor network traffic patterns
Use private subnets exclusively for DMS replication instances
Configure NAT gateways properly for outbound internet access when required
Implement network segmentation to isolate DMS instances from other workloads
Regular security reviews of network configurations and access patterns

Tools and Scripts

Infracost supports this policy and can automatically detect publicly accessible DMS instances during infrastructure planning. The policy is available in Infracost’s free trial and helps teams identify security and cost risks before deployment. Additional tools for implementation:

AWS Config for continuous compliance monitoring
Terraform Sentinel for policy-as-code enforcement
AWS Security Hub for centralized security findings
Custom CloudFormation guards for deployment-time validation

Considerations and Caveats

While making DMS instances private is generally recommended, consider these factors:

Connectivity requirements may need adjustment if external systems require direct access to DMS instances
NAT gateway costs might increase slightly if outbound internet access is required for private instances
Complexity increases in network architecture and troubleshooting procedures
Legacy applications might require connection string updates or network path modifications
Cross-region replication scenarios may need special consideration for private connectivity
Third-party tool integration might require VPN or Direct Connect for access

Frequently Asked Questions (FAQs)

Yes, this policy is available in Infracost, including in the free trial. Infracost automatically detects publicly accessible DMS instances and flags them as policy violations with associated security and cost risks.

Yes, the policy can be adapted for development, staging, and production environments with different security requirements. However, production workloads should always use private access regardless of customization needs.

Infracost identifies and reports violations with specific remediation guidance, enabling teams to prioritize and fix issues efficiently. The tool provides clear before-and-after cost comparisons when implementing fixes.

Private instances typically perform better due to reduced network latency and improved security posture. Internal network routing is often faster than public internet routing for database migration tasks.

Private DMS instances can still participate in disaster recovery scenarios through proper VPC peering, Transit Gateway, or VPN connections between regions. The private configuration actually improves security during disaster recovery events.

Rare exceptions might include temporary migration scenarios or proof-of-concept environments, but these should be time-limited and include additional security controls like IP whitelisting and enhanced monitoring.

Review monthly as part of your security and cost optimization cycle, and implement automated checks in CI/CD pipelines to prevent violations from reaching production environments.

Yes, this policy should be applied consistently across all AWS regions where DMS instances are deployed to maintain uniform security posture and compliance standards.

AWS DMS – Consider Making Replication Instances Not Publicly Accessible

Why this policy matters

Implementation Guide

Infrastructure-as-Code Example (Terraform)

Manual Step-by-Step Instructions

Best Practices

Tools and Scripts

Considerations and Caveats

Frequently Asked Questions (FAQs)

Company

Documentation

Resources

Download our ebook “Shifting FinOps Left” and find out how to empower engineers to take action.

Create Free Account