DMS Endpoint for Redis OSS is Encrypted in Transit
Overview
This check verifies that AWS Database Migration Service (DMS) endpoints configured for Redis Open Source Software (OSS) have TLS encryption enabled. When you migrate data to a Redis target using DMS, enabling TLS ensures that all traffic between the DMS replication instance and your Redis server is encrypted.
Risk
Without TLS encryption, data traveling between DMS and Redis is sent in plain text. This creates several security risks:
- Data interception: Attackers on the network path can read sensitive data being migrated
- Credential theft: Authentication tokens or passwords could be captured
- Data tampering: Migrated data could be modified in transit without detection
- Man-in-the-middle attacks: Attackers could intercept and alter communications
Remediation Steps
Prerequisites
You need permission to modify DMS endpoints in your AWS account. The IAM actions required are:
dms:ModifyEndpointdms:DescribeEndpoints
AWS Console Method
- Open the AWS Console and go to DMS (Database Migration Service)
- In the left navigation, click Endpoints
- Find and select your Redis endpoint
- Click Modify
- Scroll to the Endpoint settings section
- For SSL security protocol, select ssl-encryption
- (Optional) If you have a custom CA certificate, provide the SSL CA certificate ARN
- Click Save changes
Note: Modifying an endpoint that is part of an active replication task may require stopping and restarting the task.
AWS CLI (optional)
Modify an Existing Endpoint
To enable TLS on an existing Redis endpoint:
aws dms modify-endpoint \
--endpoint-arn "arn:aws:dms:us-east-1:123456789012:endpoint:your-endpoint-id" \
--redis-settings '{
"SslSecurityProtocol": "ssl-encryption"
}' \
--region us-east-1
Create a New Endpoint with TLS Enabled
To create a new Redis endpoint with TLS from the start:
aws dms create-endpoint \
--endpoint-identifier "redis-target-encrypted" \
--endpoint-type target \
--engine-name redis \
--redis-settings '{
"ServerName": "your-redis-server.example.com",
"Port": 6379,
"SslSecurityProtocol": "ssl-encryption",
"AuthType": "auth-token",
"AuthPassword": "your-auth-password"
}' \
--region us-east-1
Verify the Configuration
Check the current SSL settings on your endpoint:
aws dms describe-endpoints \
--filters "Name=endpoint-id,Values=redis-target-encrypted" \
--query "Endpoints[].RedisSettings.SslSecurityProtocol" \
--region us-east-1
The output should show ssl-encryption.
CloudFormation (optional)
CloudFormation Template
Use this template to create a DMS Redis endpoint with TLS encryption:
AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Endpoint for Redis OSS with TLS encryption enabled
Parameters:
EndpointIdentifier:
Type: String
Description: Unique identifier for the DMS endpoint
Default: redis-target-encrypted
RedisServerName:
Type: String
Description: Fully qualified domain name of the Redis server
RedisPort:
Type: Number
Description: Port number for the Redis server
Default: 6379
AuthType:
Type: String
Description: Authentication type for Redis connection
AllowedValues:
- none
- auth-token
- auth-role
Default: auth-token
AuthPassword:
Type: String
Description: Password for Redis authentication (required for auth-token or auth-role)
NoEcho: true
Default: ''
AuthUserName:
Type: String
Description: Username for Redis authentication (required for auth-role only)
Default: ''
Conditions:
HasAuthPassword: !Not [!Equals [!Ref AuthPassword, '']]
HasAuthUserName: !Not [!Equals [!Ref AuthUserName, '']]
Resources:
DMSRedisEndpoint:
Type: AWS::DMS::Endpoint
Properties:
EndpointIdentifier: !Ref EndpointIdentifier
EndpointType: target
EngineName: redis
RedisSettings:
ServerName: !Ref RedisServerName
Port: !Ref RedisPort
SslSecurityProtocol: ssl-encryption
AuthType: !Ref AuthType
AuthPassword: !If [HasAuthPassword, !Ref AuthPassword, !Ref 'AWS::NoValue']
AuthUserName: !If [HasAuthUserName, !Ref AuthUserName, !Ref 'AWS::NoValue']
Outputs:
EndpointArn:
Description: ARN of the DMS Redis endpoint
Value: !Ref DMSRedisEndpoint
Export:
Name: !Sub '${AWS::StackName}-EndpointArn'
Deploy the Stack
aws cloudformation create-stack \
--stack-name dms-redis-endpoint \
--template-body file://template.yaml \
--parameters \
ParameterKey=RedisServerName,ParameterValue=your-redis-server.example.com \
ParameterKey=AuthPassword,ParameterValue=your-auth-password \
--region us-east-1
Terraform (optional)
Terraform Configuration
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
variable "endpoint_identifier" {
description = "Unique identifier for the DMS endpoint"
type = string
default = "redis-target-encrypted"
}
variable "redis_server_name" {
description = "Fully qualified domain name of the Redis server"
type = string
}
variable "redis_port" {
description = "Port number for the Redis server"
type = number
default = 6379
}
variable "auth_type" {
description = "Authentication type: none, auth-token, or auth-role"
type = string
default = "auth-token"
validation {
condition = contains(["none", "auth-token", "auth-role"], var.auth_type)
error_message = "auth_type must be one of: none, auth-token, auth-role"
}
}
variable "auth_password" {
description = "Password for Redis authentication"
type = string
sensitive = true
default = null
}
variable "auth_user_name" {
description = "Username for Redis authentication (required for auth-role)"
type = string
default = null
}
resource "aws_dms_endpoint" "redis_target" {
endpoint_id = var.endpoint_identifier
endpoint_type = "target"
engine_name = "redis"
redis_settings {
server_name = var.redis_server_name
port = var.redis_port
ssl_security_protocol = "ssl-encryption"
auth_type = var.auth_type
auth_password = var.auth_password
auth_user_name = var.auth_user_name
}
tags = {
Name = var.endpoint_identifier
Environment = "production"
Encryption = "in-transit"
}
}
output "endpoint_arn" {
description = "ARN of the DMS Redis endpoint"
value = aws_dms_endpoint.redis_target.endpoint_arn
}
Apply the Configuration
terraform init
terraform plan -var="redis_server_name=your-redis-server.example.com" -var="auth_password=your-auth-password"
terraform apply -var="redis_server_name=your-redis-server.example.com" -var="auth_password=your-auth-password"
Verification
After making changes, verify that TLS is enabled:
- In the AWS Console, go to DMS > Endpoints
- Select your Redis endpoint
- Check the Endpoint settings section
- Confirm SSL security protocol shows ssl-encryption
CLI Verification
aws dms describe-endpoints \
--filters "Name=endpoint-id,Values=your-endpoint-id" \
--query "Endpoints[].{EndpointId:EndpointIdentifier,SslProtocol:RedisSettings.SslSecurityProtocol}" \
--output table \
--region us-east-1
Expected output:
------------------------------------------
| DescribeEndpoints |
+------------------------+---------------+
| EndpointId | SslProtocol |
+------------------------+---------------+
| redis-target-encrypted| ssl-encryption|
+------------------------+---------------+
Additional Resources
- AWS DMS Redis as a Target Documentation
- AWS DMS Endpoint Settings Reference
- Prowler Check Documentation
Notes
- Redis OSS only: This check applies specifically to Redis Open Source Software endpoints, not Amazon ElastiCache or Amazon MemoryDB
- Authentication: When using TLS, you should also configure authentication (
auth-tokenorauth-role) for defense in depth - Custom CA certificates: If your Redis server uses a certificate from a private CA, you must provide the CA certificate ARN in the
SslCaCertificateArnsetting - Active tasks: Modifying an endpoint that is part of an active replication task may require stopping and restarting the task for changes to take effect
- Network configuration: Ensure your VPC security groups allow traffic on the Redis port (default 6379) and that the DMS replication instance can reach your Redis server