Skip to content

DMS endpoints for Redis OSS should have TLS enabled

This control checks whether an AWS DMS endpoint for Redis OSS is configured with a TLS connection. The control fails if the endpoint doesn't have TLS enabled.

How to fix

Attribute redis_settings[0].ssl_security_protocol of aws_dms_endpoint must be "ssl-encryption".

Implementation options

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_dms_endpoint.

resource "aws_dms_endpoint" "this" {
  endpoint_id   = "pofix-example-endpoint"
  endpoint_type = "source"
  engine_name   = "mysql"

  redis_settings {
    auth_type             = "none"
    port                  = 6379
    server_name           = "redis.example.com"
    ssl_security_protocol = "ssl-encryption"
  }
}
Which option should I choose?
  • Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
  • Open source module (terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready.
  • Terraform AWS provider resources: manage Terraform resources directly.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf (CTF) Control: dms_endpoint_redis_tls_enabled

  • AWS Config Managed Rule: DMS_REDIS_TLS_ENABLED

  • Powerpipe Control: aws_compliance.control.dms_endpoint_redis_tls_enabled