List endpoints across the region and find those with SslMode=none. Import the database's CA certificate into DMS where the engine requires one. Modify each endpoint to set ssl-mode to require, verify-ca, or verify-full as the engine supports. Re-test the connection and confirm tasks resume, then default new endpoints to SSL.

Compliance Medium severity

AWS Security Hub · DMS

DMS.9: DMS endpoints should use SSL

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub DMS.9 check?

DMS.9 fails when a DMS endpoint has SslMode set to none. DMS supports four SSL modes — none, require, verify-ca, and verify-full — and anything below require leaves the connection unencrypted.

Why does DMS.9 matter?

An endpoint with SslMode=none moves database records, including any credentials and sensitive rows, in plaintext between DMS and the database. For a CDC task running continuously for weeks, that is a long-lived plaintext data stream across the network. Requiring SSL — ideally verify-full so the server certificate is validated — closes it.

How do I fix DMS.9?

List endpoints across the region and find those with SslMode=none.
Import the database's CA certificate into DMS where the engine requires one.
Modify each endpoint to set ssl-mode to require, verify-ca, or verify-full as the engine supports.
Re-test the connection and confirm tasks resume, then default new endpoints to SSL.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is DMS.9 a false positive?

SSL support is engine-specific — the mode you can set on Oracle differs from MySQL or PostgreSQL, so a remediation that works for one endpoint may need a different mode on another.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for DMS controls ↗ Check your own account for DMS.9 →

Part of the learning path Encrypt everything

DMS.1 A DMS replication instance is publicly accessible
DMS.6 DMS instances auto minor version upgrade
DMS.7 DMS target DB tasks should have logging
DMS.8 DMS source DB tasks should have logging
DMS.10 DMS Neptune endpoints should have IAM auth
DMS.11 DMS MongoDB endpoints should have auth
DMS.12 DMS Redis endpoints should have TLS
DMS.13 DMS replication instances should be Multi-AZ