DMS endpoint for Redis OSS is encrypted in transit
dms_endpoint_redis_in_transit_encryption_enabled
DMS Redis OSS endpoints are assessed for the presence of TLS in their endpoint settings, such as ssl-encryption, indicating encrypted connections between the DMS replication instance and Redis.
Risk
Without TLS, traffic between DMS and Redis can be intercepted or altered, compromising confidentiality and integrity.
Attackers can perform man-in-the-middle interception, steal auth tokens, and inject or corrupt migrated data.
prowler aws --checks dms_endpoint_redis_in_transit_encryption_enabled
Recommendation
Enable TLS on Redis OSS endpoints (e.g., ssl-encryption) and require server certificate validation. Prohibit plaintext connections, prefer private networking, and enforce least privilege for DMS roles to strengthen defense in depth.
Remediation
- In the AWS Console, go to Database Migration Service > Endpoints
- Select the Redis OSS endpoint and click Modify
- Set SSL security protocol (Encryption in transit) to "SSL encryption"
- Save changes
Source Code
Resource Type
AwsDmsEndpoint
References
- https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-12
- https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Redis.html#CHAP_Target.Redis.EndpointSettings
- https://support.icompaas.com/support/solutions/articles/62000233450-ensure-encryption-in-transit-for-dms-endpoints-for-redis-oss