compliance.tf
Compliance ControlsAWS Database Migration Service

Dms Replication Instance Encryption Enabled

Implementation

Choose the approach that matches how you manage Terraform.

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

module "dms" {
  source  = "registry.compliance.tf/terraform-aws-modules/dms/aws"
  version = ">=2.0.0"

  create_iam_roles                     = false
  repl_instance_class                  = "dms.t3.small"
  repl_instance_id                     = "abc123"
  repl_instance_vpc_security_group_ids = ["sg-abc12345"]
  repl_subnet_group_description        = "DMS Subnet group for pofix testing"
  repl_subnet_group_name               = "abc123"
  repl_subnet_group_subnet_ids         = ["subnet-abc123", "subnet-def456"]

  repl_instance_kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

This control is enforced automatically with Compliance.tf modules. Start free trial

If you use terraform-aws-modules/dms/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "dms" {
  source  = "terraform-aws-modules/dms/aws"
  version = ">=2.0.0"

  create_iam_roles                     = false
  repl_instance_class                  = "dms.t3.small"
  repl_instance_id                     = "abc123"
  repl_instance_vpc_security_group_ids = ["sg-abc12345"]
  repl_subnet_group_description        = "DMS Subnet group for pofix testing"
  repl_subnet_group_name               = "abc123"
  repl_subnet_group_subnet_ids         = ["subnet-abc123", "subnet-def456"]

  repl_instance_kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Use AWS provider resources directly. See docs for the resources involved: aws_dms_replication_instance.

resource "aws_dms_replication_instance" "this" {
  replication_instance_class = "dms.t3.small"
  replication_instance_id    = "pofix-abc123"

  kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: dms_replication_instance_encryption_enabled

DMS endpoints should use SSL

Previous Page

DataSync tasks should have logging enabled

Next Page

On this page

Implementation

Ask AI about this

Help improve this page