Resources / finops policies

AWS DMS – Consider Making Replication Instances Not Publicly Accessible

Resources / finops policies

AWS DMS – Consider Making Replication Instances Not Publicly Accessible

AWS

Compute

Database Migration Service (DMS) replication instances that are publicly accessible create unnecessary security risks and potential compliance violations. This FinOps policy ensures DMS replication instances are configured with private access only, reducing attack surface while maintaining operational functionality. When DMS instances are publicly accessible, they can be reached from the internet, creating opportunities for unauthorized access, data breaches, and exploitation of security vulnerabilities.

Why this policy matters

DMS replication instances handle sensitive database content during migration and replication processes. Making these instances publicly accessible violates the principle of least privilege and creates multiple security and cost-related risks that can impact your organization’s cloud spending and compliance posture.

Implementation Guide

Infrastructure-as-Code Example (Terraform)

Violates policy - publicly accessible DMS replication instance

resource "aws_dms_replication_instance" "bad_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = true  # This violates the policy
  replication_instance_id     = "test-dms-replication-instance-tf"
 
  vpc_security_group_ids = [
    aws_security_group.dms_sg.id
  ]
}
resource "aws_dms_replication_instance" "bad_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = true  # This violates the policy
  replication_instance_id     = "test-dms-replication-instance-tf"
 
  vpc_security_group_ids = [
    aws_security_group.dms_sg.id
  ]
}
resource "aws_dms_replication_instance" "bad_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = true  # This violates the policy
  replication_instance_id     = "test-dms-replication-instance-tf"
 
  vpc_security_group_ids = [
    aws_security_group.dms_sg.id
  ]
}

Complies with policy - private DMS replication instance

resource "aws_dms_replication_instance" "good_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = false  # Compliant configuration
  replication_instance_id     = "secure-dms-replication-instance"
 
  vpc_security_group_ids = [
    aws_security_group.dms_private_sg.id
  ]
 
  replication_subnet_group_id = aws_dms_replication_subnet_group.private.id
}
resource "aws_dms_replication_instance" "good_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = false  # Compliant configuration
  replication_instance_id     = "secure-dms-replication-instance"
 
  vpc_security_group_ids = [
    aws_security_group.dms_private_sg.id
  ]
 
  replication_subnet_group_id = aws_dms_replication_subnet_group.private.id
}
resource "aws_dms_replication_instance" "good_example" {
  allocated_storage            = 100
  apply_immediately           = true
  auto_minor_version_upgrade  = true
  instance_class              = "dms.t3.micro"
  publicly_accessible         = false  # Compliant configuration
  replication_instance_id     = "secure-dms-replication-instance"
 
  vpc_security_group_ids = [
    aws_security_group.dms_private_sg.id
  ]
 
  replication_subnet_group_id = aws_dms_replication_subnet_group.private.id
}

Supporting private subnet configuration

resource "aws_dms_replication_subnet_group" "private" {
  replication_subnet_group_description = "Private subnet group for DMS"
  replication_subnet_group_id          = "dms-private-subnet-group"
 
  subnet_ids = [
    aws_subnet.private_subnet_1.id,
    aws_subnet.private_subnet_2.id
  ]
}
resource "aws_dms_replication_subnet_group" "private" {
  replication_subnet_group_description = "Private subnet group for DMS"
  replication_subnet_group_id          = "dms-private-subnet-group"
 
  subnet_ids = [
    aws_subnet.private_subnet_1.id,
    aws_subnet.private_subnet_2.id
  ]
}
resource "aws_dms_replication_subnet_group" "private" {
  replication_subnet_group_description = "Private subnet group for DMS"
  replication_subnet_group_id          = "dms-private-subnet-group"
 
  subnet_ids = [
    aws_subnet.private_subnet_1.id,
    aws_subnet.private_subnet_2.id
  ]
}

Security group for private DMS instance

resource "aws_security_group" "dms_private_sg" {
  name_prefix = "dms-private-"
  vpc_id      = aws_vpc.main.id
 
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]  # Only allow VPC traffic
  }
 
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
resource "aws_security_group" "dms_private_sg" {
  name_prefix = "dms-private-"
  vpc_id      = aws_vpc.main.id
 
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]  # Only allow VPC traffic
  }
 
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
resource "aws_security_group" "dms_private_sg" {
  name_prefix = "dms-private-"
  vpc_id      = aws_vpc.main.id
 
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]  # Only allow VPC traffic
  }
 
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

The key difference is setting publicly_accessible = false and ensuring the DMS instance is deployed in private subnets with appropriate security group configurations. Infracost automatically detects when DMS instances are configured as publicly accessible and flags these as policy violations in cost estimates and pull request comments.

Manual Step-by-Step Instructions

  • Audit existing DMS instances using AWS CLI or console to identify publicly accessible instances

  • Create private subnet group if one doesn’t exist for your DMS instances

  • Update security groups to restrict access to internal networks only

  • Modify DMS replication instance to set publicly_accessible = false

  • Test connectivity from your application servers to ensure migration tasks continue working

  • Update connection strings in applications if necessary to use private endpoints

  • Verify compliance using AWS Config rules or third-party tools like Infracost

Best Practices

  • Use VPC endpoints for DMS service communications to keep traffic within AWS backbone

  • Implement least privilege access through security groups and NACLs

  • Enable VPC Flow Logs to monitor network traffic patterns

  • Use private subnets exclusively for DMS replication instances

  • Configure NAT gateways properly for outbound internet access when required

  • Implement network segmentation to isolate DMS instances from other workloads

  • Regular security reviews of network configurations and access patterns

Tools and Scripts

Infracost supports this policy and can automatically detect publicly accessible DMS instances during infrastructure planning. The policy is available in Infracost’s free trial and helps teams identify security and cost risks before deployment. Additional tools for implementation:

  • AWS Config for continuous compliance monitoring

  • Terraform Sentinel for policy-as-code enforcement

  • AWS Security Hub for centralized security findings

  • Custom CloudFormation guards for deployment-time validation

Considerations and Caveats

While making DMS instances private is generally recommended, consider these factors:

  • Connectivity requirements may need adjustment if external systems require direct access to DMS instances

  • NAT gateway costs might increase slightly if outbound internet access is required for private instances

  • Complexity increases in network architecture and troubleshooting procedures

  • Legacy applications might require connection string updates or network path modifications

  • Cross-region replication scenarios may need special consideration for private connectivity

  • Third-party tool integration might require VPN or Direct Connect for access

Create Free Account

This policy is supported in Infracost and available in the free trial. Sign up today and scan your code using our entire library of FinOps policies.

Get started free

Get started
with Infracost

Sign up free

Schedule a demo

© 2026 Infracost Inc

Privacy

Terms

DPA

Manage cookies

Do not sell/share my personal information

Product

Features

Pricing

Security

Support

Company

About

Careers

Blog

Documentation

Getting started

CI/CD integration

FAQ

Resources

Community

GitHub

LinkedIn

YouTube

Slack

Get started
with Infracost

Sign up free

Schedule a demo

© 2026 Infracost Inc

Privacy

Terms

DPA

Manage cookies

Do not sell/share my personal information

Product

Features

Pricing

Security

Support

Company

About

Careers

Blog

Documentation

Getting started

CI/CD integration

FAQ

Resources

Community

GitHub

LinkedIn

YouTube

Slack

Get started
with Infracost

Sign up free

Schedule a demo

© 2026 Infracost Inc

Privacy

Terms

DPA

Manage cookies

Do not sell/share my personal information

Product

Features

Pricing

Security

Support

Company

About

Careers

Blog

Documentation

Getting started

CI/CD integration

FAQ

Resources

Community

GitHub

LinkedIn

YouTube

Slack