Amazon Web Services
Amazon Database Migration Service (DMS) is a fully managed service that makes it easy to migrate databases to AWS. It supports homogeneous migrations such as Oracle to Amazon RDS Oracle, as well as heterogeneous migrations between different database platforms, such as Microsoft SQL Server to Amazon Aurora. With Amazon DMS, you can move your existing databases to AWS quickly and securely, without the need to write any code or purchase any additional hardware. The service supports on-premises databases, databases in the cloud, and databases running on virtual machines. Amazon DMS continuously replicates your data, ensuring that your target database is up-to-date with the source database. Amazon DMS is designed to be highly scalable and resilient, and it can handle very large data migration projects. You can use it to migrate your entire database, or you can choose to migrate only specific tables or schemas.
Terraform Name

The following arguments are supported:

  • allocated_storage - (Optional, Default: 50, Min: 5, Max: 6144) The amount of storage (in gigabytes) to be initially allocated for the replication instance.
  • allow_major_version_upgrade - (Optional, Default: false) Indicates that major version upgrades are allowed.
  • apply_immediately - (Optional, Default: false) Indicates whether the changes should be applied immediately or during the next maintenance window. Only used when updating an existing resource.
  • auto_minor_version_upgrade - (Optional, Default: false) Indicates that minor engine upgrades will be applied automatically to the replication instance during the maintenance window.
  • availability_zone - (Optional) The EC2 Availability Zone that the replication instance will be created in.
  • engine_version - (Optional) The engine version number of the replication instance.
  • kms_key_arn - (Optional) The Amazon Resource Name (ARN) for the KMS key that will be used to encrypt the connection parameters. If you do not specify a value for kms_key_arn, then AWS DMS will use your default encryption key. AWS KMS creates the default encryption key for your AWS account. Your AWS account has a different default encryption key for each AWS region.
  • multi_az - (Optional) Specifies if the replication instance is a multi-az deployment. You cannot set the availability_zone parameter if the multi_az parameter is set to true.
  • preferred_maintenance_window - (Optional) The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
  • Default: A 30-minute window selected at random from an 8-hour block of time per region, occurring on a random day of the week.
  • Format: ddd:hh24:mi-ddd:hh24:mi
  • Valid Days: mon, tue, wed, thu, fri, sat, sun
  • Constraints: Minimum 30-minute window.
  • publicly_accessible - (Optional, Default: false) Specifies the accessibility options for the replication instance. A value of true represents an instance with a public IP address. A value of false represents an instance with a private IP address.
  • replication_instance_class - (Required) The compute and memory capacity of the replication instance as specified by the replication instance class. See AWS DMS User Guide for available instance sizes and advice on which one to choose.
  • replication_instance_id - (Required) The replication instance identifier. This parameter is stored as a lowercase string.
  • Must contain from 1 to 63 alphanumeric characters or hyphens.
  • First character must be a letter.
  • Cannot end with a hyphen
  • Cannot contain two consecutive hyphens.
  • replication_subnet_group_id - (Optional) A subnet group to associate with the replication instance.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpc_security_group_ids - (Optional) A list of VPC security group IDs to be used with the replication instance. The VPC security groups must work with the VPC containing the replication instance.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL creates required roles and then create a DMS (Data Migration Service) replication instance, setting the depends_on to the required role policy attachments.

# Database Migration Service requires the below IAM Roles to be created before
# replication instances can be created. See the DMS Documentation for
# additional information:
#  * dms-vpc-role
#  * dms-cloudwatch-logs-role
#  * dms-access-for-endpoint

data "aws_iam_policy_document" "dms_assume_role" {
 statement {
   actions = ["sts:AssumeRole"]

   principals {
     identifiers = [""]
     type        = "Service"

resource "aws_iam_role" "dms-access-for-endpoint" {
 assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
 name               = "dms-access-for-endpoint"

resource "aws_iam_role_policy_attachment" "dms-access-for-endpoint-AmazonDMSRedshiftS3Role" {
 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"
 role       =

resource "aws_iam_role" "dms-cloudwatch-logs-role" {
 assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
 name               = "dms-cloudwatch-logs-role"

resource "aws_iam_role_policy_attachment" "dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole" {
 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"
 role       =

resource "aws_iam_role" "dms-vpc-role" {
 assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
 name               = "dms-vpc-role"

resource "aws_iam_role_policy_attachment" "dms-vpc-role-AmazonDMSVPCManagementRole" {
 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
 role       =

# Create a new replication instance
resource "aws_dms_replication_instance" "test" {
 allocated_storage            = 20
 apply_immediately            = true
 auto_minor_version_upgrade   = true
 availability_zone            = "us-west-2c"
 engine_version               = "3.1.4"
 kms_key_arn                  = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
 multi_az                     = false
 preferred_maintenance_window = "sun:10:30-sun:14:30"
 publicly_accessible          = true
 replication_instance_class   = "dms.t2.micro"
 replication_instance_id      = "test-dms-replication-instance-tf"
 replication_subnet_group_id  =

 tags = {
   Name = "test"

 vpc_security_group_ids = [

 depends_on = [

via CLI:

--replication-instance-identifier <value>
[--allocated-storage <value>]
--replication-instance-class <value>
[--vpc-security-group-ids <value>]
[--availability-zone <value>]
[--replication-subnet-group-identifier <value>]
[--preferred-maintenance-window <value>]
[--multi-az | --no-multi-az]
[--engine-version <value>]
[--auto-minor-version-upgrade | --no-auto-minor-version-upgrade]
[--tags <value>]
[--kms-key-id <value>]
[--publicly-accessible | --no-publicly-accessible]
[--dns-name-servers <value>]
[--resource-identifier <value>]
[--network-type <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws dms create-replication-instance \
   --replication-instance-identifier my-repl-instance \
   --replication-instance-class dms.t2.micro \
   --allocated-storage 5

aws cost
The cost of using DMS depends on several factors, including the amount of data processed, the size of the source and target databases, and the number of replication tasks. For data processing, you are charged for the amount of storage used by the replication instance and the number of replication tasks run. For data transfer, you are charged for the amount of data transferred in and out of AWS. If you are replicating between AWS regions, you will incur additional data transfer costs.
Direct Cost





Indirect Cost
No items found.
Best Practices for

Categorized by Availability, Security & Compliance and Cost

Access allowed from VPN
No items found.
Auto Scaling Group not in use
No items found.
Connections towards DynamoDB should be via VPC endpoints
No items found.
Container in CrashLoopBackOff state
No items found.
EC2 with GPU capabilities
No items found.
EC2 with high privileged policies
No items found.
ECS cluster delete alarm
No items found.
ECS task with Admin access (*:*)
ECS task with high privileged policies
No items found.
EKS cluster delete alarm
No items found.
ElastiCache cluster delete alarm
No items found.
Ensure Container liveness probe is configured
No items found.
Ensure ECS task definition has memory limit
No items found.
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services