DMS.1: A DMS replication instance is publicly accessible

What does AWS Security Hub DMS.1 check?

DMS.1 fails when a Database Migration Service replication instance has its PubliclyAccessible attribute set to true. Such an instance gets a public IP and can be reached from the internet, subject to its security groups.

Why does DMS.1 matter?

A replication instance sits in the middle of your data flow, holding credentials for both the source and target databases and often streaming live records between them. Exposing it publicly turns it into an internet-facing target for anyone probing for those credentials or the data in transit. Keeping it private means an attacker must already be inside your network.

How do I fix DMS.1?

1. List replication instances and flag any with PubliclyAccessible set to true.
2. Create a new replication instance in private subnets with PubliclyAccessible disabled.
3. Repoint the affected tasks at the new instance and validate they resume cleanly.
4. Delete the old public instance and add a guardrail to block public instances going forward.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'