Infrastructure security in Amazon Database Migration Service - Amazon Database Migration Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Infrastructure security in Amazon Database Migration Service

As a managed service, Amazon Database Migration Service is protected by Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see Amazon Cloud Security. To design your Amazon environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar Amazon Well‐Architected Framework.

You use Amazon published API calls to access Amazon DMS through the network. Clients must support the following:

  • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the Amazon Security Token Service (Amazon STS) to generate temporary security credentials to sign requests.

You can call these API operations from any network location. Amazon DMS also supports resource-based access policies, which can specify restrictions on actions and resources, for example, based on the source IP address. In addition, you can use Amazon DMS policies to control access from specific Amazon VPC endpoints or specific virtual private clouds (VPCs). Effectively, this isolates network access to a given Amazon DMS resource from only the specific VPC within the Amazon network. For more information about using resource-based access policies with Amazon DMS, including examples, see Fine-grained access control using resource names and tags.

To confine your communications with Amazon DMS within a single VPC, you can create a VPC interface endpoint that enables you to connect to Amazon DMS through Amazon PrivateLink. Amazon PrivateLink helps ensure that any call to Amazon DMS and its associated results remain confined to the specific VPC for which your interface endpoint is created. You can then specify the URL for this interface endpoint as an option with every Amazon DMS command that you run using the Amazon CLI or an SDK. Doing this helps ensure that your entire communications with Amazon DMS remain confined to the VPC and are otherwise invisible to the public internet.

To create an interface endpoint to access DMS in a single VPC

  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. From the navigation pane, choose Endpoints. This opens the Create endpoints page, where you can create the interface endpoint from a VPC to Amazon DMS.

  3. Choose Amazon services, then search for and choose a value for Service Name, in this case Amazon DMS in the following form.

    com.amazonaws.region.dms

    Here, region specifies the Amazon Region where Amazon DMS runs, for example com.amazonaws.us-west-2.dms.

  4. For VPC, choose the VPC to create the interface endpoint from, for example vpc-12abcd34.

  5. Choose a value for Availability Zone and for Subnet ID. These values should indicate a location where your chosen Amazon DMS endpoint can run, for example us-west-2a (usw2-az1) and subnet-ab123cd4.

  6. Choose Enable DNS name to create the endpoint with a DNS name. This DNS name consists of the endpoint ID (vpce-12abcd34efg567hij) hyphenated with a random string (ab12dc34). These are separated from the service name by a dot in reverse dot-separated order, with vpce added (dms.us-west-2.vpce.amazonaws.com).

    An example is vpce-12abcd34efg567hij-ab12dc34.dms.us-west-2.vpce.amazonaws.com.

  7. For Security group, choose a group to use for the endpoint.

    When you set up your security group, make sure to allow outbound HTTPS calls from within it. For more information, see Creating security groups in the Amazon VPC User Guide.

  8. Choose either Full Access or a custom value for Policy. For example, you might choose a custom policy similar to the following that restricts your endpoint's access to certain actions and resources.

    {
  "Statement": [
    {
      "Action": "dms:*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": "*"
    },
    {
      "Action": [
        "dms:ModifyReplicationInstance",
        "dms:DeleteReplicationInstance"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:dms:us-west-2:<account-id>:rep:<replication-instance-id>",
      "Principal": "*"
    }
  ]
}

    Here, the sample policy allows any Amazon DMS API call, except for deleting or modifying a specific replication instance.

You can now specify a URL formed using the DNS name created in step 6 as an option. You specify this for every Amazon DMS CLI command or API operation to access the service instance using the created interface endpoint. For example, you might run the DMS CLI command DescribeEndpoints in this VPC as shown following.

$ aws dms describe-endpoints --endpoint-url https://vpce-12abcd34efg567hij-ab12dc34.dms.us-west-2.vpce.amazonaws.com

If you enable the private DNS option, you don't have to specify the endpoint URL in the request.

For more information on creating and using VPC interface endpoints (including enabling the private DNS option), see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.