> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# DMS Replication Should Not Be Public

### More Info:

Ensure DMS replication instance in not public

### Risk Level

High

### Address

Observability

### Compliance Standards

HITRUST,CISEKS,SOC2,NISTCSF,PCIDSS,SEBI,RBI\_MD\_ITF,RBI\_UCB

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of DMS Replication being public for AWS RDS using the AWS console, follow these steps:

        1. **Access AWS Management Console**: Go to the AWS Management Console at [https://aws.amazon.com/](https://aws.amazon.com/) and log in to your account.

        2. **Navigate to the Amazon RDS Console**: Click on the "Services" dropdown menu at the top left corner of the console, then select "RDS" under the Database category.

        3. **Select the RDS Instance**: From the list of RDS instances, select the instance that is being replicated using DMS.

        4. **Modify Security Group**: In the details page of the selected RDS instance, scroll down to the "Security" section and click on the security group that is associated with the instance.

        5. **Edit Inbound Rules**: In the security group settings, locate the inbound rules that allow public access to the DMS replication. By default, DMS replication should not be public.

        6. **Update Security Group Rules**: Remove any inbound rules that allow public access to the DMS replication endpoint. You can either modify the existing rule to restrict access to specific IP ranges or completely remove the rule if it is not required.

        7. **Save Changes**: After updating the security group rules, save the changes to apply the new configuration.

        8. **Verify Configuration**: Double-check the security group settings to ensure that only authorized entities have access to the DMS replication endpoint.

        By following these steps, you can remediate the misconfiguration of DMS Replication being public for AWS RDS using the AWS console and ensure that your RDS instance is secure.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the DMS replication being public for AWS RDS using AWS CLI, you can follow these steps:

        1. **Identify the DMS Replication Instance**: First, you need to identify the DMS replication instance that is currently public. You can use the following AWS CLI command to list all the DMS replication instances:

        ```bash theme={null}
        aws dms describe-replication-instances
        ```

        2. **Update the Security Group**: Once you have identified the DMS replication instance, you need to update the security group associated with it to restrict access. Get the security group ID from the DMS replication instance details and then run the following AWS CLI command to update the security group:

        ```bash theme={null}
        aws ec2 revoke-security-group-ingress --group-id YOUR_SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0
        ```

        Replace `YOUR_SECURITY_GROUP_ID` with the actual security group ID associated with the DMS replication instance.

        3. **Verify the Changes**: Finally, verify that the security group rules have been updated successfully by running the following AWS CLI command:

        ```bash theme={null}
        aws ec2 describe-security-groups --group-ids YOUR_SECURITY_GROUP_ID
        ```

        Ensure that the inbound rules for port 443 (DMS replication port) do not allow access from `0.0.0.0/0`.

        By following these steps, you can remediate the DMS replication being public for AWS RDS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of having DMS replication public for AWS RDS using Python, you can follow these steps:

        1. **Identify the Publicly Accessible DMS Replication Instance**:
           * Use the AWS SDK for Python (Boto3) to list all the DMS replication instances.
           * Check if any of the replication instances have a publicly accessible endpoint.

        2. **Update the DMS Replication Instance to Not be Public**:
           * For each publicly accessible DMS replication instance, use the `modify_replication_instance` method in Boto3 to update the instance's `PubliclyAccessible` parameter to `False`.

        3. **Python Script to Remediate**:
           ```python theme={null}
           import boto3

           def remediate_public_dms_replication():
               client = boto3.client('dms')

               # List all DMS replication instances
               response = client.describe_replication_instances()

               for instance in response['ReplicationInstances']:
                   if instance['PubliclyAccessible']:
                       # Update the replication instance to not be publicly accessible
                       client.modify_replication_instance(
                           ReplicationInstanceArn=instance['ReplicationInstanceArn'],
                           PubliclyAccessible=False
                       )
                       print(f"Updated DMS replication instance {instance['ReplicationInstanceArn']} to not be public.")

           if __name__ == '__main__':
               remediate_public_dms_replication()
           ```

        4. **Run the Python Script**:
           * Save the above Python script to a file, for example, `remediate_public_dms.py`.
           * Run the script using Python, ensuring that you have the necessary IAM permissions to modify DMS replication instances.

        5. **Verify the Remediation**:
           * After running the script, verify that the DMS replication instances are no longer publicly accessible by checking the `PubliclyAccessible` parameter for each instance.

        By following these steps and running the provided Python script, you can successfully remediate the misconfiguration of having DMS replication public for AWS RDS.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
