AWS Certified Database – Specialty — Question 347

An ecommerce company is running AWS Database Migration Service (AWS DMS) to replicate an on-premises Microsoft SQL Server database to Amazon RDS for SQL Server. The company has set up an AWS Direct Connect connection from its on-premises data center to AWS. During the migration, the company's security team receives an alarm that is related to the migration. The security team mandates that the DMS replication instance must not be accessible from public
IP addresses.
What should a database specialist do to meet this requirement?

Answer options

• A. Set up a VPN connection to encrypt the traffic over the Direct Connect connection.
• B. Modify the DMS replication instance by disabling the publicly accessible option.
• C. Delete the DMS replication instance. Recreate the DMS replication instance with the publicly accessible option disabled.
• D. Create a new replication VPC subnet group with private subnets. Modify the DMS replication instance by selecting the newly created VPC subnet group.

Correct answer: C

Explanation

The public accessibility setting of an AWS DMS replication instance is defined at creation time and cannot be modified on an existing instance. Therefore, the only way to disable public access is to delete the current instance and recreate a new one with the publicly accessible option turned off. Modifying the existing instance or changing subnet groups will not resolve the issue because the public IP allocation cannot be altered post-deployment.