DMS.13: DMS replication instances should be Multi-AZ

What does AWS Security Hub DMS.13 check?

DMS.13 fails when a replication instance is deployed in a single Availability Zone rather than Multi-AZ. The control reads the MultiAZ flag, which determines whether DMS maintains a standby in a second AZ for automatic failover.

Why does DMS.13 matter?

A single-AZ replication instance has no standby: a transient networking fault in that one zone takes the instance unreachable, halts the CDC task, and lets the target silently drift behind the source. On a cutover night that gap can go unnoticed for hours. Multi-AZ keeps a synchronised standby ready to take over, so a zone fault becomes a brief blip instead of a stalled migration.

How do I fix DMS.13?

1. Audit replication instances and find those with MultiAZ set to false.
2. Enable Multi-AZ in place with modify-replication-instance, expecting a brief failover during the conversion.
3. Accept the roughly doubled hourly cost as the trade for a standby, or document why single-AZ is acceptable for a throwaway instance.
4. Default production instances to Multi-AZ in your provisioning template.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3