Name of the resource
AWS::DMS::ReplicationInstance
Resource name
No response
Description
When an AWS DMS replication instance is created, the service provisions ENIs in the account's VPC with the description DMSNetworkInterface. DMS always creates replication instances in a VPC. For Multi-AZ deployments, ENIs are created in multiple subnets. These service-managed ENIs do not inherit tags from the replication instance.
Problem
- DMS creates ENIs with the description
DMSNetworkInterface in the subnets of the replication subnet group.
- These ENIs carry no tags - no reference to the owning replication instance, replication subnet group, or migration task.
- ENIs can be replaced during Multi-AZ failovers, instance class modifications, or maintenance events.
- There is no mechanism -via CloudFormation or the DMS API- to control tags on these ENIs at creation time.
Impact
Organizations enforcing mandatory tagging policies face:
- Cost allocation gaps: Untagged ENIs cannot be attributed to a project or team.
- Compliance violations: AWS Config rules like
required-tags flag these ENIs as non-compliant.
- Operational overhead: Workarounds require event-driven Lambda functions to retroactively tag ENIs, with race conditions during failover or maintenance events when ENIs are replaced.
- Identification difficulty: Without tags, correlating ENIs to a specific replication instance requires cross-referencing private IP addresses via the DMS
describe-replication-instances API.
Expected Behavior
Tags defined on AWS::DMS::ReplicationInstance should be automatically propagated to all ENIs created by the DMS service. When ENIs are replaced during lifecycle events (failover, maintenance, instance modification), new ENIs should receive the current tags from the parent replication instance.
Other Details
- DMS Serverless replications also create ENIs in the account's VPC with a similar pattern.
- The DMS service role requires
ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface permissions.
- DMS ENIs are requester-managed and cannot be detached or deleted by the users while the replication instance exists.
Reproduction
- Create a DMS replication instance with tags via CloudFormation:
MyReplicationInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
ReplicationInstanceClass: dms.t3.medium
ReplicationSubnetGroupIdentifier: !Ref MyDMSSubnetGroup
VpcSecurityGroupIds:
- sg-xxx
Tags:
- Key: Environment
Value: production
- Key: CostCenter
Value: "12345"
- List ENIs:
aws ec2 describe-network-interfaces \
--filters "Name=description,Values=DMSNetworkInterface" \
--query "NetworkInterfaces[].{ID:NetworkInterfaceId,Desc:Description,Tags:TagSet}"
- Observe:
TagSet is empty on the DMS-managed ENIs.
Name of the resource
AWS::DMS::ReplicationInstance
Resource name
No response
Description
When an AWS DMS replication instance is created, the service provisions ENIs in the account's VPC with the description
DMSNetworkInterface. DMS always creates replication instances in a VPC. For Multi-AZ deployments, ENIs are created in multiple subnets. These service-managed ENIs do not inherit tags from the replication instance.Problem
DMSNetworkInterfacein the subnets of the replication subnet group.Impact
Organizations enforcing mandatory tagging policies face:
required-tagsflag these ENIs as non-compliant.describe-replication-instancesAPI.Expected Behavior
Tags defined on
AWS::DMS::ReplicationInstanceshould be automatically propagated to all ENIs created by the DMS service. When ENIs are replaced during lifecycle events (failover, maintenance, instance modification), new ENIs should receive the current tags from the parent replication instance.Other Details
ec2:CreateNetworkInterface,ec2:DescribeNetworkInterfaces, andec2:DeleteNetworkInterfacepermissions.Reproduction
TagSetis empty on the DMS-managed ENIs.