Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.
Public access to a DMS replication instance can be disabled by deleting the replication instance and then recreate it. Before you can delete a replication instance, you must delete all the tasks that use the replication instance. When creating the new instance ensure that the Publicly Accessible option is disabled.
In Terraform -
For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible