Skip to content
Ask AI about this
Help improve this page

DMS endpoints for Redis OSS should have TLS enabled

DMS endpoints replicating data to or from Redis OSS handle live database traffic that may include sensitive application data, session tokens, or cached credentials. Without TLS, this traffic travels in plaintext between the DMS replication instance and the Redis server, exposing it to interception on the network path.

TLS on the DMS endpoint encrypts the replication channel for its full path. The exposure risk is highest when the Redis target runs outside the VPC or crosses availability zone boundaries, where traffic may traverse shared network infrastructure, but the plaintext risk exists on any network path.

Retrofit consideration

Changing ssl_security_protocol on an existing DMS endpoint forces a modification that may briefly interrupt active replication tasks. The target Redis server must also support TLS and have a valid certificate in place before you apply the change.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_dms_endpoint.

resource "aws_dms_endpoint" "this" {
  endpoint_id   = "pofix-abc123"
  endpoint_type = "target"
  engine_name   = "redis"

  redis_settings {
    auth_type              = "none"
    port                   = 6379
    server_name            = "redis.example.com"
    ssl_ca_certificate_arn = "arn:aws:dms:us-east-1:123456789012:cert:example-certificate"
    ssl_security_protocol  = "ssl-encryption"
  }
}

What this control checks

The control passes when an aws_dms_endpoint resource with engine_name = "redis" has redis_settings configured with ssl_security_protocol = "ssl-encryption". It fails when ssl_security_protocol is omitted or set to "plaintext". When TLS is enabled, also provide ssl_ca_certificate_arn pointing to an aws_dms_certificate resource containing the CA certificate for the Redis server. Set auth_type within redis_settings to "auth-role" or "auth-token" for authenticated, encrypted connections.

Common pitfalls

  • Default ssl_security_protocol may be plaintext

    Omit ssl_security_protocol from the redis_settings block and the AWS API defaults to plaintext. You must set it explicitly to "ssl-encryption" for this control to pass.

  • Missing or expired CA certificate

    ssl_ca_certificate_arn must point to a valid, unexpired aws_dms_certificate resource. Setting ssl_security_protocol = "ssl-encryption" without it causes the DMS task to fail at connection time, not at plan or apply. Create the certificate resource first and verify it hasn't expired.

  • Redis server must support TLS

    This control validates only the DMS endpoint configuration. If the target Redis instance (ElastiCache or self-hosted) doesn't have TLS enabled, for example transit_encryption_enabled = true on an ElastiCache replication group, the replication task fails at runtime even though the endpoint passes the control check.

  • Endpoint recreation on engine_name change

    If you're converting a non-Redis endpoint to Redis, plan for full resource replacement: changing engine_name forces aws_dms_endpoint to be destroyed and recreated. Build the new resource with redis_settings and ssl_security_protocol = "ssl-encryption" from the start rather than patching it in afterward.

Audit evidence

An auditor expects Config rule evaluation results showing all DMS endpoints with engine type Redis OSS as compliant. Supporting evidence includes the output of aws dms describe-endpoints filtered to EngineName: redis, where each endpoint's RedisSettings.SslSecurityProtocol reads ssl-encryption. If a DMS certificate is involved, aws dms describe-certificates output should confirm the CA certificate exists and has not expired.

CloudTrail logs for ModifyEndpoint or CreateEndpoint API calls provide a change history showing when TLS was enabled and by whom.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: dms_endpoint_redis_tls_enabled

  • AWS Config Managed Rule: DMS_REDIS_TLS_ENABLED

  • Checkov Check: CKV2_AWS_49

  • Powerpipe Control: aws_compliance.control.dms_endpoint_redis_tls_enabled

  • Prowler Checks: dms_endpoint_redis_in_transit_encryption_enabled, dms_endpoint_ssl_enabled

  • AWS Security Hub Control: DMS.12

Last reviewed: 2026-03-09