---
title: DMS replication instances should be encrypted at rest
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > DMS replication instances should be
  encrypted at rest
---

# DMS replication instances should be encrypted at rest
 
## Description{% #description %}

DMS replication instances should have encryption at rest configured with a KMS key. Encryption protects data being migrated or replicated from unauthorized access during the replication process.

## Remediation{% #remediation %}

Create a new DMS replication instance with a KMS key specified for encryption. Existing instances cannot have encryption changed after creation. For guidance, refer to [Creating a replication instance](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Creating.html).