Audit Redis OSS endpoints and find any with SslSecurityProtocol set to plaintext. Run modify-endpoint to set SslSecurityProtocol to ssl-encryption. Where you need server verification, attach an SslCaCertificateArn. Scrub IaC templates so no endpoint explicitly sets plaintext going forward.

Compliance Medium severity

AWS Security Hub · DMS

DMS.12: DMS Redis endpoints should have TLS

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub DMS.12 check?

DMS.12 fails when a DMS endpoint for Redis OSS has SslSecurityProtocol set to plaintext inside its RedisSettings. The secure value is ssl-encryption, which is also the default when the setting is left unspecified.

Why does DMS.12 matter?

A Redis endpoint set to plaintext moves data between DMS and Redis unencrypted across the network. Because Redis is often used for cached or session-style data, that transit exposure can leak sensitive material to anyone observing the network. Setting ssl-encryption protects the connection, and an optional CA certificate lets DMS verify the server identity too.

How do I fix DMS.12?

Audit Redis OSS endpoints and find any with SslSecurityProtocol set to plaintext.
Run modify-endpoint to set SslSecurityProtocol to ssl-encryption.
Where you need server verification, attach an SslCaCertificateArn.
Scrub IaC templates so no endpoint explicitly sets plaintext going forward.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is DMS.12 a false positive?

The default is already ssl-encryption, so most failures trace to an old IaC template or copied CLI command that explicitly typed plaintext — the gap is inherited, not chosen.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for DMS controls ↗ Check your own account for DMS.12 →

Part of the learning path Encrypt everything

DMS.1 A DMS replication instance is publicly accessible
DMS.6 DMS instances auto minor version upgrade
DMS.7 DMS target DB tasks should have logging
DMS.8 DMS source DB tasks should have logging
DMS.9 DMS endpoints should use SSL
DMS.10 DMS Neptune endpoints should have IAM auth
DMS.11 DMS MongoDB endpoints should have auth
DMS.13 DMS replication instances should be Multi-AZ