AWS Security ChangesHomeSearch

AWS dms documentation change

Service: dms · 2026-05-22 · Documentation high

File: dms/latest/userguide/CHAP_Target.MySQL.md

Summary

Added section 'Considerations for Aurora MySQL 8.4 targets' detailing TLS enforcement changes, authentication plugin updates, and password reset implications for AWS DMS connectivity

Security assessment

Documents new security features in Aurora MySQL 8.4 (TLS enforcement by default, authentication policy changes) and configuration requirements for AWS DMS. No evidence of addressing a specific security vulnerability.

Diff

diff --git a/dms/latest/userguide/CHAP_Target.MySQL.md b/dms/latest/userguide/CHAP_Target.MySQL.md
index 6660f82dd..843714a39 100644
--- a//dms/latest/userguide/CHAP_Target.MySQL.md
+++ b//dms/latest/userguide/CHAP_Target.MySQL.md
@@ -7 +7 @@
-Prerequisites for MySQL as a targetLimitations on MySQL as a targetEndpoint settingsTarget data types for MySQL
+Prerequisites for MySQL as a targetAurora MySQL 8.4 targetsLimitations on MySQL as a targetEndpoint settingsTarget data types for MySQL
@@ -49,0 +50,2 @@ For additional details on working with a MySQL-compatible database as a target f
+  * Considerations for Aurora MySQL 8.4 targets
+
@@ -86,0 +89,35 @@ Before you begin to work with a MySQL-compatible database as a target for AWS DM
+## Considerations for Aurora MySQL 8.4 targets
+
+Aurora MySQL 8.4 introduces security changes that may affect AWS DMS target endpoint connectivity. Review the following before upgrading your Aurora MySQL target to version 8.4.
+
+**TLS enforcement**
+
+Aurora MySQL 8.4 sets `require_secure_transport` to `ON` by default, meaning all connections must use TLS. If your AWS DMS target endpoint connects to Aurora MySQL 8.4 and the SSL mode is set to **none** , connections will be rejected. If your endpoint SSL mode is set to **none** , you will receive the following error: `MySQL Error 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON`. Set the endpoint SSL mode to **verify-ca** or **verify-full**. Both modes require a CA certificate. Alternatively, set `require_secure_transport` to `OFF` in your Aurora cluster parameter group to allow unencrypted connections.
+
+###### Note
+
+Aurora MySQL 8.4 only supports GCM cipher suites for TLS 1.2. All CBC-mode ciphers have been removed. AWS DMS uses TLS 1.2 for MySQL and Aurora MySQL endpoints and will auto-negotiate a supported GCM cipher. If you have custom cipher configurations, verify they include one of the following supported ciphers: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, or ECDHE-ECDSA-AES256-GCM-SHA384.
+
+###### Note
+
+AWS DMS does not support TLS 1.3 for MySQL endpoints. This does not affect connectivity to Aurora MySQL 8.4, as Aurora MySQL 8.4 continues to support TLS 1.2.
+
+**Authentication (Aurora MySQL and RDS for MySQL 8.4)**
+
+Aurora MySQL 8.4 replaces the `default_authentication_plugin` parameter with `authentication_policy`, which defaults to `*:caching_sha2_password`. Existing database users retain their current authentication plugin after the upgrade. If you create new AWS DMS endpoint users after upgrading, they will use `caching_sha2_password` by default unless you set `authentication_policy` to `*:mysql_native_password` in your cluster parameter group.
+
+**Master user password reset**
+
+After upgrading to Aurora MySQL 8.4, resetting the master user password via the AWS Management Console, CLI, or through Secrets Manager rotation sets the master user’s authentication plugin to the default defined by the `authentication_policy` parameter. If `authentication_policy` is set to its default value (`*:caching_sha2_password`), the master user’s authentication plugin changes from `mysql_native_password` to `caching_sha2_password` upon the next password reset.
+
+If your AWS DMS target endpoint uses the master user account, verify connectivity after any password reset. To avoid authentication plugin changes, either:
+
+  * Set `authentication_policy` to `*:mysql_native_password` in your cluster parameter group before resetting the password, or
+
+  * Create a dedicated AWS DMS endpoint user with an explicitly specified authentication plugin (recommended). For example: `CREATE USER 'dms_user'@'%' IDENTIFIED WITH mysql_native_password BY 'password';`
+
+
+
+
+For more information about Aurora MySQL 8.4 security changes, see [Security with Amazon Aurora MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.html) and [Password management with Amazon Aurora and Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the _Amazon Aurora User Guide_. For information about authentication plugin known issues, see [Authentication plugin](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/MySQL.KnownIssuesAndLimitations.html#MySQL.Concepts.KnownIssuesAndLimitations.authentication-plugin) in the _Amazon RDS User Guide_.
+