DMS endpoints for Redis OSS should have TLS enabled
DMS endpoints replicating data to or from Redis OSS handle live database traffic that may include sensitive application data, session tokens, or cached credentials. Without TLS, this traffic travels in plaintext between the DMS replication instance and the Redis server, exposing it to interception on the network path.
TLS on the DMS endpoint encrypts the replication channel for its full path. The exposure risk is highest when the Redis target runs outside the VPC or crosses availability zone boundaries, where traffic may traverse shared network infrastructure, but the plaintext risk exists on any network path.
Retrofit consideration
Implementation
Choose the approach that matches how you manage Terraform.
Use AWS provider resources directly. See docs for the resources involved: aws_dms_endpoint.
resource "aws_dms_endpoint" "this" {
endpoint_id = "pofix-abc123"
endpoint_type = "target"
engine_name = "redis"
redis_settings {
auth_type = "none"
port = 6379
server_name = "redis.example.com"
ssl_ca_certificate_arn = "arn:aws:dms:us-east-1:123456789012:cert:example-certificate"
ssl_security_protocol = "ssl-encryption"
}
}What this control checks
The control passes when an aws_dms_endpoint resource with engine_name = "redis" has redis_settings configured with ssl_security_protocol = "ssl-encryption". It fails when ssl_security_protocol is omitted or set to "plaintext". When TLS is enabled, also provide ssl_ca_certificate_arn pointing to an aws_dms_certificate resource containing the CA certificate for the Redis server. Set auth_type within redis_settings to "auth-role" or "auth-token" for authenticated, encrypted connections.
Common pitfalls
Default ssl_security_protocol may be plaintext
Omit ssl_security_protocol from the redis_settings block and the AWS API defaults to plaintext. You must set it explicitly to "ssl-encryption" for this control to pass.
Missing or expired CA certificate
ssl_ca_certificate_arn must point to a valid, unexpired aws_dms_certificate resource. Setting ssl_security_protocol = "ssl-encryption" without it causes the DMS task to fail at connection time, not at plan or apply. Create the certificate resource first and verify it hasn't expired.
Redis server must support TLS
This control validates only the DMS endpoint configuration. If the target Redis instance (ElastiCache or self-hosted) doesn't have TLS enabled, for example transit_encryption_enabled = true on an ElastiCache replication group, the replication task fails at runtime even though the endpoint passes the control check.
Endpoint recreation on engine_name change
If you're converting a non-Redis endpoint to Redis, plan for full resource replacement: changing engine_name forces aws_dms_endpoint to be destroyed and recreated. Build the new resource with redis_settings and ssl_security_protocol = "ssl-encryption" from the start rather than patching it in afterward.
Audit evidence
An auditor expects Config rule evaluation results showing all DMS endpoints with engine type Redis OSS as compliant. Supporting evidence includes the output of aws dms describe-endpoints filtered to EngineName: redis, where each endpoint's RedisSettings.SslSecurityProtocol reads ssl-encryption. If a DMS certificate is involved, aws dms describe-certificates output should confirm the CA certificate exists and has not expired.
CloudTrail logs for ModifyEndpoint or CreateEndpoint API calls provide a change history showing when TLS was enabled and by whom.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
- Compliance.tf Control:
dms_endpoint_redis_tls_enabled - AWS Config Managed Rule:
DMS_REDIS_TLS_ENABLED - Checkov Check:
CKV2_AWS_49 - Powerpipe Control:
aws_compliance.control.dms_endpoint_redis_tls_enabled - Prowler Checks:
dms_endpoint_redis_in_transit_encryption_enabled,dms_endpoint_ssl_enabled - AWS Security Hub Control:
DMS.12
Last reviewed: 2026-03-09