Skip to main content

DMS Endpoint Has SSL Enabled

Overview

This check verifies that AWS Database Migration Service (DMS) endpoints have SSL/TLS encryption enabled for connections between the replication instance and your databases. An endpoint passes this check if its SSL mode is set to anything other than none.

Risk

Without SSL/TLS encryption, data transferred through DMS is vulnerable to:

  • Confidentiality breaches: Attackers can intercept database credentials and sensitive data through packet sniffing
  • Data tampering: Man-in-the-middle attacks can modify migration data streams without detection
  • Service disruption: Session hijacking can interrupt or corrupt database migration tasks

Remediation Steps

Prerequisites

You need permission to modify DMS endpoints. This typically requires the dms:ModifyEndpoint IAM permission.

About SSL modes

DMS supports four SSL modes:

ModeDescription
noneNo encryption (fails this check)
requireEncrypts the connection but does not verify the server certificate
verify-caEncrypts and verifies the server certificate against a trusted CA
verify-fullEncrypts, verifies the CA, and confirms the server hostname matches the certificate

For production workloads, verify-ca or verify-full provide the strongest security.

AWS Console Method

  1. Open the AWS DMS Console
  2. Select the endpoint that failed the check
  3. Click Modify
  4. Scroll to the Endpoint settings section
  5. For SSL mode, select require (or verify-ca / verify-full if your database supports it)
  6. If using verify-ca or verify-full, select the appropriate CA certificate from the dropdown
  7. Click Save changes
  8. Test the connection by clicking Test connection under the Connections tab
AWS CLI

Enable SSL on an existing endpoint:

aws dms modify-endpoint \
    --endpoint-arn arn:aws:dms:us-east-1:123456789012:endpoint:EXAMPLE \
    --ssl-mode require \
    --region us-east-1

Enable SSL with certificate verification:

aws dms modify-endpoint \
    --endpoint-arn arn:aws:dms:us-east-1:123456789012:endpoint:EXAMPLE \
    --ssl-mode verify-ca \
    --certificate-arn arn:aws:dms:us-east-1:123456789012:cert:EXAMPLE \
    --region us-east-1

List all endpoints to find those without SSL:

aws dms describe-endpoints \
    --query "Endpoints[?SslMode=='none'].[EndpointIdentifier,EndpointArn,EngineName]" \
    --output table \
    --region us-east-1
CloudFormation
AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Endpoint with SSL enabled

Parameters:
  EndpointIdentifier:
    Type: String
    Description: Unique identifier for the endpoint
  EngineType:
    Type: String
    Description: Database engine type
    AllowedValues:
      - mysql
      - postgres
      - oracle
      - sqlserver
      - mariadb
      - aurora
      - aurora-postgresql
      - redshift
  ServerName:
    Type: String
    Description: Database server hostname
  Port:
    Type: Number
    Description: Database port
  Username:
    Type: String
    Description: Database username
  Password:
    Type: String
    NoEcho: true
    Description: Database password
  DatabaseName:
    Type: String
    Description: Database name
  SslMode:
    Type: String
    Default: require
    AllowedValues:
      - require
      - verify-ca
      - verify-full
    Description: SSL mode for the endpoint connection
  CertificateArn:
    Type: String
    Default: ''
    Description: ARN of the certificate for SSL connection (required for verify-ca and verify-full)

Conditions:
  HasCertificate: !Not [!Equals [!Ref CertificateArn, '']]

Resources:
  DMSEndpoint:
    Type: AWS::DMS::Endpoint
    Properties:
      EndpointIdentifier: !Ref EndpointIdentifier
      EndpointType: source
      EngineName: !Ref EngineType
      ServerName: !Ref ServerName
      Port: !Ref Port
      Username: !Ref Username
      Password: !Ref Password
      DatabaseName: !Ref DatabaseName
      SslMode: !Ref SslMode
      CertificateArn: !If [HasCertificate, !Ref CertificateArn, !Ref 'AWS::NoValue']

Outputs:
  EndpointArn:
    Description: ARN of the DMS endpoint
    Value: !Ref DMSEndpoint
Terraform
variable "endpoint_id" {
  description = "Unique identifier for the DMS endpoint"
  type        = string
}

variable "endpoint_type" {
  description = "Type of endpoint (source or target)"
  type        = string
  default     = "source"
  validation {
    condition     = contains(["source", "target"], var.endpoint_type)
    error_message = "Endpoint type must be 'source' or 'target'."
  }
}

variable "engine_name" {
  description = "Database engine name"
  type        = string
}

variable "server_name" {
  description = "Database server hostname"
  type        = string
}

variable "port" {
  description = "Database port"
  type        = number
}

variable "username" {
  description = "Database username"
  type        = string
}

variable "password" {
  description = "Database password"
  type        = string
  sensitive   = true
}

variable "database_name" {
  description = "Database name"
  type        = string
}

variable "ssl_mode" {
  description = "SSL mode for the endpoint connection"
  type        = string
  default     = "require"
  validation {
    condition     = contains(["require", "verify-ca", "verify-full"], var.ssl_mode)
    error_message = "SSL mode must be 'require', 'verify-ca', or 'verify-full'."
  }
}

variable "certificate_arn" {
  description = "ARN of the certificate for SSL connection"
  type        = string
  default     = null
}

resource "aws_dms_endpoint" "this" {
  endpoint_id     = var.endpoint_id
  endpoint_type   = var.endpoint_type
  engine_name     = var.engine_name
  server_name     = var.server_name
  port            = var.port
  username        = var.username
  password        = var.password
  database_name   = var.database_name
  ssl_mode        = var.ssl_mode
  certificate_arn = var.certificate_arn
}

output "endpoint_arn" {
  description = "ARN of the DMS endpoint"
  value       = aws_dms_endpoint.this.endpoint_arn
}

Verification

After making changes, confirm SSL is enabled:

  1. In the DMS Console, select your endpoint and check that SSL mode shows require, verify-ca, or verify-full
  2. Click Test connection to verify the endpoint can connect with SSL enabled
CLI verification
aws dms describe-endpoints \
    --filters Name=endpoint-arn,Values=arn:aws:dms:us-east-1:123456789012:endpoint:EXAMPLE \
    --query "Endpoints[0].[EndpointIdentifier,SslMode]" \
    --output table \
    --region us-east-1

The SslMode value should be require, verify-ca, or verify-full.

Additional Resources

Notes

  • Database support: Not all database engines support all SSL modes. Check your specific database documentation to confirm which modes are available.
  • Certificate requirements: Using verify-ca or verify-full requires importing the appropriate CA certificate into DMS first.
  • Existing replication tasks: Modifying an endpoint's SSL settings may require stopping and restarting active replication tasks.
  • Performance: SSL encryption adds minimal overhead but provides significant security benefits for data in transit.
  • Private connectivity: Consider using AWS PrivateLink or VPC peering in addition to SSL for defense in depth.