Skip to content
Ask AI about this
Help improve this page

DMS endpoints should use SSL

DMS replication tasks move production data, often including PII, financial records, or credentials, between databases. When SSL is disabled on an endpoint, that data traverses the network in cleartext. An attacker with access to the VPC, a misconfigured peering connection, or a compromised intermediate host can passively capture every row replicated.

Enabling SSL on DMS endpoints is a low-effort change that eliminates an entire class of sniffing attacks. The performance overhead of TLS on modern instances is negligible compared to the risk of exposing migrated datasets.

Retrofit consideration

Changing ssl_mode on an existing endpoint requires the target database to accept TLS connections. You may need to install CA certificates on the database side and update certificate_arn on the DMS endpoint before flipping the mode. Existing replication tasks referencing the endpoint must be stopped, the endpoint modified, then tasks restarted.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_dms_endpoint.

resource "aws_dms_endpoint" "this" {
  database_name = "pofix"
  endpoint_id   = "pofix-abc123"
  endpoint_type = "source"
  engine_name   = "postgres"
  password      = "ChangeMe123!"
  port          = 5432
  server_name   = "postgres.example.com"
  username      = "admin"

  ssl_mode = "require"
}

What this control checks

The control evaluates the aws_dms_endpoint resource. ssl_mode must be set to something other than "none". Acceptable values are "require", "verify-ca", or "verify-full". If ssl_mode is omitted, AWS defaults it to "none", which fails the control. When using "verify-ca" or "verify-full", you must also provide a certificate_arn referencing an aws_dms_certificate resource holding the CA certificate for the source or target database. Both source and target endpoints are evaluated independently, so every aws_dms_endpoint in the configuration must carry an explicit, non-none ssl_mode.

Common pitfalls

  • Default ssl_mode is none

    If you omit ssl_mode from aws_dms_endpoint, Terraform sends no value and AWS defaults to "none". This silently fails the control. Always set ssl_mode explicitly.

  • Certificate required for verify-ca and verify-full

    Setting ssl_mode to "verify-ca" or "verify-full" without a certificate_arn causes endpoint creation to fail at apply time. You need an aws_dms_certificate resource and must reference its ARN in the endpoint config.

  • Engine-specific SSL support gaps

    Some DMS endpoint engine types (S3, DynamoDB, Kinesis) don't support ssl_mode because they use HTTPS natively. Setting it on those endpoints may be ignored or cause errors. This control applies to relational engines: mysql, postgres, oracle, sqlserver, and mongodb.

  • Replication task must be stopped to change ssl_mode

    terraform apply will error out if a replication task is running when you change ssl_mode. DMS can't modify an endpoint that's actively in use, so stop the task first, apply the endpoint change, then restart.

Audit evidence

An auditor expects Config rule evaluation results showing all AWS::DMS::Endpoint resources as COMPLIANT, or equivalent output from a security posture tool scanning the SslMode property via the DescribeEndpoints API. Beyond the Config snapshot, auditors may pull CloudTrail ModifyEndpoint and CreateEndpoint events to confirm no endpoint was ever provisioned or changed to SslMode: none.

Supporting documentation should include the DMS certificate inventory (CA certificates uploaded via ImportCertificate) and evidence that the databases themselves enforce TLS, such as RDS parameter group settings (rds.force_ssl = 1 for SQL Server, require_secure_transport = ON for MySQL).

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: dms_endpoint_ssl_configured

  • AWS Config Managed Rule: DMS_ENDPOINT_SSL_CONFIGURED

  • Checkov Check: CKV2_AWS_49

  • Powerpipe Control: aws_compliance.control.dms_endpoint_ssl_configured

  • Prowler Check: dms_endpoint_ssl_enabled

  • AWS Security Hub Control: DMS.9

Last reviewed: 2026-03-09