Question #922
A company is migrating an on-premises application and a PostgreSQL database to AWS. The application handles highly confidential data, with continuous updates to the database. Data transmission must avoid the public internet, and encryption must be enforced both in transit and at rest.
The database is 6 TB in size. The company has already provisioned an Amazon Aurora PostgreSQL-Compatible Edition DB instance with the required schema. A 2 Gbps AWS Direct Connect connection is established, along with a public VIF and a private VIF. A solutions architect must design a migration strategy that minimizes downtime while meeting all security requirements.
Which solution satisfies these requirements?
Create a database dump. Transfer the backup files using AWS Snowball Edge Compute Optimized. Import the data to Amazon S3. Enable server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest. Use TLS for encryption in transit. Restore the data from S3 to the Aurora DB instance.
Use AWS Database Migration Service (AWS DMS) for the migration. Deploy a DMS replication instance in a private subnet. Establish VPC endpoints for DMS. Configure a DMS task with full load and change data capture (CDC) to replicate data from the on-premises database to Aurora. Encrypt data at rest using AWS KMS customer-managed keys and enforce TLS for in-transit encryption.
Generate a database backup. Transfer the backup files to Amazon S3 using AWS DataSync. Apply server-side encryption with SSE-KMS for encryption at rest. Use TLS for secure transfer. Restore the backup from S3 to the Aurora DB instance.
Deploy an Amazon FSx for Lustre file system. Use AWS Direct Connect to establish a private link. Perform a database backup and copy it to FSx. Encrypt the file system with AWS KMS keys. Use TLS for data transfer. Import the backup into the Aurora DB instance.
Explanation
Option B is correct because AWS Database Migration Service (DMS) supports both full load and Change Data Capture (CDC), enabling continuous replication of data changes during migration, which minimizes downtime. Deploying DMS in a private subnet with VPC endpoints ensures data transmission avoids the public internet. Encryption at rest (AWS KMS) and in-transit (TLS) meet security requirements.
Other options are incorrect because:
- A and C rely on one-time backups/restores, causing downtime and lacking CDC for ongoing changes.
- D introduces unnecessary complexity with FSx for Lustre and does not handle continuous updates efficiently.
Key points: Use DMS for minimal downtime migrations with CDC; leverage private connectivity (Direct Connect/VPC endpoints) and encryption (KMS/TLS) for security.
Answer
The correct answer is: B