Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Security group configuration for AWS DMS

PDF
RSS
Focus mode
Security group configuration for AWS DMS - AWS Database Migration Service
Additional Considerations

Security group in AWS DMS must allow inbound and outbound connections for your replication instances on the appropriate database port. If you are using Amazon RDS, you must configure the security group between DMS and RDS for your instances.

You must perform the following steps:

Configure the RDS instance security group

  1. Navigate to the Amazon VPC console.

  2. In the navigation pane on the left under Security, select Security Groups.

  3. Select the RDS Security Group associated with your RDS instance.

  4. Edit the inbound rules:

    1. Click Actions and select Edit inbound rules.

    2. Click Add Rule to create a new rule.

    3. Configure the rule as follows:

      • Type: Select your database type (Example: MySQL/Aurora for port 3306, PostgreSQL for port 5432).

      • Protocol: This auto-populates based on your database type.

      • Port Range: this auto-populates based on your database type.

      • Source: Choose Custom, and paste the security group ID associated with your DMS instance. This allows traffic from any resource within that security group. You can also specify the IP range (CIDR block) of your DMS instance.

    4. Click Save rules.

Configure the DMS replication instance security group

  1. Navigate to the Amazon VPC console.

  2. In the navigation pane on the left under Security, select Security Groups.

  3. In the Security Group list find and select the security group associated with your DMS replication instance.

  4. Edit the outbound rules:

    1. Click Actions and select Edit outbound rules.

    2. Click Add Rule to create a new rule.

    3. Configure the rule as follows:

      • Type: Select your database type (Example: MySQL/Aurora, PostgreSQL).

      • Protocol: This auto-populates based on your database type.

      • Port Range: this auto-populates based on your database type.

      • Source: Choose Custom, and paste the security group ID associated with your RDS instance. This allows traffic from any resource within that security group. You can also specify the IP range (CIDR block) of your RDS instance.

    4. Click Save rules.

Additional Considerations

You must consider the following additional configuration information:

  • Use Security Group References: Referencing security groups in the source or destional instances allows for dynamic management and is more secure than using IP addresses as it automatically included all resources within the group.

  • Database Ports: Ensure you are using the correct port for your database.

  • Security Best Practices: Only open the necessary ports to minimize security risks. you must also regular review of your security group rules to ensure they meed your security standards and requirements.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.