The requirement calls for encryption with keys the company controls. This is provided by server-side encryption that uses a customer-managed AWS KMS key (SSE-KMS with a CMK).

Step 1 – Set the bucket’s default encryption to SSE-KMS and select the company’s customer-managed CMK.

Step 2 – Add a bucket policy that denies PutObject requests lacking “x-amz-server-side-encryption":"aws:kms”.

Step 3 – Because versioning is disabled, copy (re-upload) every existing object so that S3 writes a new object encrypted with the CMK; the original unencrypted copies are overwritten.

This ensures all present and future objects are encrypted with company-managed keys.

A. SSE-S3 always uses Amazon-managed keys; customers cannot supply their own, so it fails the “company-managed key” requirement.

C. A bucket policy cannot “automatically encrypt” objects on GetObject; it can only enforce PutObject conditions. Existing objects remain with SSE-S3.

D. “AES-256 with a customer managed key” does not exist; AES-256 designates SSE-S3, which again uses Amazon-managed keys.

1. Amazon S3 User Guide – “Using server-side encryption with AWS Key Management Service (SSE-KMS)” (Section: Specifying a customer managed key) – https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

2. Amazon S3 User Guide – “Copying objects” (Section: Changing encryption of existing objects) – https://docs.aws.amazon.com/AmazonS3/latest/userguide/CopyingObjectUsingCLI.html

3. AWS KMS Developer Guide – “Customer managed keys” (Para 1) – https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

4. Amazon S3 Bucket Policy Examples – “Deny unencrypted object uploads” – https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html#bucket-encryption-enforcing

The core requirement is to encrypt data in one AWS Region and decrypt it in another using the same logical key. AWS KMS multi-Region keys are designed for this exact purpose. A multi-Region primary key is created in one Region, and replica keys are created in other Regions. These keys are interoperable because they share the same underlying key material and key ID. An application in any of these Regions can use its local replica key (via the regional KMS endpoint) to encrypt or decrypt data, ensuring low latency and high availability while maintaining a consistent encryption standard across Regions for the replicated S3 data.

B: Creating new, independent customer-managed KMS keys in each Region would result in keys with different key material, making it impossible to decrypt data in one Region that was encrypted in another.

C: AWS Private CA is used for creating and managing private X.509 certificates, primarily for securing network communications (TLS) or authenticating entities, not for encrypting application data at rest.

D: Exporting the key material from an AWS-generated KMS key is not a supported feature. This is a fundamental security design of AWS KMS to ensure the key material never leaves the FIPS-validated hardware security modules (HSMs).

1. AWS KMS Developer Guide

"Multi-Region keys in AWS KMS": "Multi-Region keys are AWS KMS keys in different AWS Regions that can be used interchangeably to encrypt and decrypt data in any of these Regions... Each set of related multi-Region keys has the same key ID and key material." This directly supports the functionality described in option A.

2. AWS KMS Developer Guide

"How multi-Region keys work": "Because related multi-Region keys have the same key material

data encrypted with a multi-Region key in one AWS Region can be decrypted with a related multi-Region key in a different AWS Region." This confirms the interoperability required by the question.

3. AWS KMS Developer Guide

"Importing key material in AWS KMS": This section details the process for using your own key material (BYOK). It implicitly confirms that you cannot export AWS-generated key material. The documentation states

"When you use a KMS key with imported key material

you remain responsible for the key material

" which is not the case for standard KMS keys where AWS manages the material securely.

4. AWS Private Certificate Authority User Guide

"What is AWS Private Certificate Authority?": "AWS Private Certificate Authority (AWS Private CA) is a managed private CA service that helps you easily and securely manage the lifecycle of your private certificates." This defines the service's purpose

which is distinct from encrypting data at rest.

The core requirements are low-latency reads and writes for users in both the US and Europe, with real-time data consistency across regions. Amazon Aurora Global Database is the only solution presented that meets these needs. It provides a primary write region and low-latency read replicas in secondary regions. The key feature is write forwarding, which allows applications in secondary regions (Europe) to issue write statements. These writes are transparently forwarded to the primary cluster (US) for execution and then replicated globally, typically in under a second. Option A correctly identifies this architecture and also details a valid, standard procedure for migrating from RDS for MySQL to Aurora with minimal downtime by creating an Aurora Read Replica and then promoting it.

B: Standard RDS for MySQL cross-Region replicas are strictly read-only. There is no native feature to replicate write queries back to the primary, which would create an unsupported and problematic configuration.

C: "Write forwarding" is a feature exclusive to Amazon Aurora, not RDS for MySQL. Additionally, managing bi-directional logical replication between standard RDS instances is complex and not a managed AWS feature.

D: While this option correctly identifies the target architecture (Aurora Global Database), it is less precise than option A. Option A provides a complete solution by including the specific, valid migration steps required to transition from the current state.

1. Amazon Aurora User Guide - Using Amazon Aurora global databases: "An Aurora global database consists of one primary AWS Region where your data is mastered

and up to five read-only

secondary AWS Regions. ... You can use write forwarding to issue write operations from secondary AWS Regions. With write forwarding

write operations issued from reader DB instances in a secondary AWS Region are forwarded to the writer DB instance in the primary AWS Region." (Section: "Using write forwarding in an Amazon Aurora global database")

2. Amazon Aurora User Guide - Migrating data to an Amazon Aurora DB cluster: "To migrate data from an RDS for MySQL DB instance to an Amazon Aurora MySQL DB cluster with minimal downtime

you can create an Aurora Read Replica of your RDS for MySQL DB instance. ... When the replica lag between the RDS for MySQL DB instance and the Aurora Read Replica is zero

you can promote the Aurora Read Replica..." (Section: "Migrating data from an RDS for MySQL DB instance to an Amazon Aurora MySQL DB cluster"

Subsection: "Migrating from an RDS for MySQL DB instance by creating an Aurora Read Replica")

3. AWS Documentation - Working with read replicas for Amazon RDS for MySQL: "You can create a read replica in a different AWS Region from the source DB instance. This is called a cross-Region read replica. ... Cross-Region read replicas are read-only..." (Section: "Cross-Region read replica limitations for MySQL")

This solution provides a well-architected approach for a heterogeneous database migration from Oracle to a managed AWS service. It correctly identifies the use of the AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS) for this purpose. Amazon RDS for PostgreSQL supports the PostGIS extension, which provides native spatial data capabilities, meeting a key requirement. Most importantly, it addresses the need to query on-premises data as a foreign table by using AWS Direct Connect to establish a dedicated, private network connection, over which PostgreSQL's Foreign Data Wrappers (FDW) can securely connect to the on-premises Oracle database.

A. Amazon DynamoDB is a NoSQL database, which is an unsuitable target for a relational Oracle database without a major application rewrite. Amazon API Gateway does not provide foreign table support.

B. AWS Glue crawlers are used to discover data and populate the AWS Glue Data Catalog; they do not enable live foreign table queries from an RDS instance.

C. An internet gateway provides public internet access. It is not the appropriate or secure method for establishing a private, persistent connection to an on-premises database for foreign table queries.

1. AWS DMS and SCT for Oracle to PostgreSQL Migration: AWS Documentation

"AWS Schema Conversion Tool User Guide

" section "Converting Oracle Schemas to PostgreSQL." This guide details using SCT to convert the source Oracle schema and code to a format compatible with PostgreSQL

and then using DMS to migrate the data.

2. Spatial Data Support in RDS for PostgreSQL: AWS Documentation

"Amazon RDS for PostgreSQL

" section "Working with PostgreSQL extensions

" subsection "PostGIS." This document confirms that the PostGIS extension is supported on RDS for PostgreSQL to "add support for geographic objects."

3. Hybrid Connectivity with Direct Connect: AWS Documentation

"AWS Direct Connect User Guide

" section "What is AWS Direct Connect?." It states

"AWS Direct Connect creates a dedicated private connection between your data center...and AWS. This can reduce network costs

increase bandwidth throughput

and provide a more consistent network experience than internet-based connections." This is the required connectivity for stable foreign table access.

4. PostgreSQL Foreign Data Wrappers: The official PostgreSQL documentation (Version 14

Section 37.3

"Writing a Foreign Data Wrapper") describes the FDW feature. The oraclefdw extension allows a PostgreSQL database to connect to and query a remote Oracle database as if it were a local table

which directly fulfills the requirement. This connection would be established over the Direct Connect link.

To automatically decrypt PGP-encrypted files upon upload, the AWS Transfer Family managed workflow requires the corresponding PGP private key. This sensitive key must be stored securely in AWS Secrets Manager. The decryption process is a standard, successful operation within the data pipeline, and therefore must be configured as a "nominal step" in the workflow. An exception-handling step is reserved for error conditions. This nominal step is then configured with the necessary PGP decryption parameters, referencing the private key stored in Secrets Manager. Finally, associating the workflow with the Transfer Family server ensures it is automatically triggered for every file successfully uploaded.

A. Decryption requires the private key, not the public key. The step must also be configured for decryption, not encryption.

B. Decryption is a standard operation (nominal step), not an error condition (exception-handling step), and the step must be configured for decryption.

D. This option is incorrect because it uses the wrong key (public instead of private) and the wrong step type (exception-handling instead of nominal).

1. AWS Transfer Family User Guide

"Create a workflow to decrypt files": This guide outlines the exact procedure. Step 1 explicitly states

"Store your PGP private key in AWS Secrets Manager." Step 3 details creating a workflow with a decryption step

which is a nominal (standard) step. Step 4 describes associating the workflow with the server. (See section: Managed workflows > Example workflows and steps > Create a workflow to decrypt files).

2. AWS Transfer Family User Guide

"Workflow steps for AWS Transfer Family": This document describes the available workflow steps. The "Decrypt file" step is listed as a primary action. It specifies

"For PGP decryption

you must provide a private key and an optional passphrase that are stored in AWS Secrets Manager." This confirms the need for the private key and its storage location. (See section: Managed workflows > Workflow steps for AWS Transfer Family > Decrypt file).

3. AWS Transfer Family User Guide

"Getting started with AWS Transfer Family workflows": This page illustrates the workflow structure

showing that nominal steps handle the primary execution path

while exception-handling steps are for processing failures. Decryption is part of the primary path. (See section: Managed workflows > Getting started with AWS Transfer Family workflows).

This option correctly maps each security requirement to the most appropriate AWS service and its intended target. AWS WAF integrates directly with Amazon API Gateway to protect against common web exploits and DoS attacks (Layer 7). Amazon Inspector is designed to assess workloads like EC2 instances for software vulnerabilities and unintended network exposure, making it the correct choice for the legacy API host. Amazon GuardDuty is a threat detection service that continuously monitors the AWS account for malicious activity by analyzing data sources like VPC Flow Logs and AWS CloudTrail logs. This provides a comprehensive, layered security posture by applying the correct service to each part of the architecture.

A. This is incorrect because AWS WAF cannot be directly attached to a standalone EC2 instance. It requires an Application Load Balancer or Amazon CloudFront, which represents an unstated architectural change.

B. This is incorrect because Amazon Inspector is not used to analyze API Gateway directly, and Amazon GuardDuty is a detection and alerting service, not a blocking service.

D. This is incorrect because Amazon Inspector assesses vulnerabilities rather than providing active "protection" (blocking). Additionally, Amazon GuardDuty does not natively block malicious attempts.

---

1. AWS WAF with API Gateway: AWS Documentation states

"You can use AWS WAF to protect your Amazon API Gateway APIs from common web exploits

such as SQL injection and cross-site scripting (XSS) attacks."

Source: Amazon API Gateway Developer Guide

"Controlling access to an API with AWS WAF".

2. Amazon Inspector for EC2: The Amazon Inspector User Guide specifies its function: "Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure... Amazon Inspector scans Amazon EC2 instances..."

Source: Amazon Inspector User Guide

"What is Amazon Inspector?"

Introduction section.

3. Amazon GuardDuty Function: The official documentation describes GuardDuty as a monitoring and detection service: "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation." It does not block traffic itself.

Source: Amazon GuardDuty User Guide

"What is Amazon GuardDuty?"

Introduction section.

4. AWS WAF Protected Resources: The AWS WAF Developer Guide lists the resources it can protect

which include Application Load Balancer and API Gateway

but not EC2 instances directly. This supports why option A is flawed.

Source: AWS WAF Developer Guide

"How AWS WAF works"

section on "AWS resources that you can protect with AWS WAF".

This option presents a comprehensive, automated solution that directly addresses the root causes of downtime. Using AWS CloudFormation change sets allows the team to preview the impact of template modifications on existing resources before applying them, preventing unexpected changes. AWS CodeDeploy with a blue/green deployment strategy creates a new, parallel environment (green) to deploy and test the application without affecting the live production environment (blue). Traffic is only switched after successful validation. Integrating automated testing with AWS CodeBuild ensures that both infrastructure and application changes are validated systematically, catching errors early in the pipeline and significantly reducing the risk of production downtime.

A. This approach is reactive and relies on manual testing, which is slow, error-prone, and does not align with modern CI/CD best practices for preventing downtime.

C. Validating templates only checks for syntax errors, not logical issues or the operational impact of resource changes. This option still depends on inefficient manual testing.

D. While introducing a blue/green pattern is an improvement, relying on operators to manually log in and test is not a scalable, repeatable, or reliable validation method for a CI/CD pipeline.

1. AWS CloudFormation User Guide: "With change sets

you can preview how proposed changes to a stack might impact your running resources... before you implement them. Change sets allow you to see how your changes might impact your running resources

for example

if your changes will delete or replace any critical resources." (AWS CloudFormation User Guide

Section: "Updating stacks using change sets").

2. AWS CodeDeploy User Guide: "In a blue/green deployment

a new set of instances (the green fleet) is provisioned

and the new application revision is deployed to it. CodeDeploy reroutes traffic from the original environment (the blue fleet) to the green fleet... After traffic is rerouted

the instances in the blue fleet can be terminated." (AWS CodeDeploy User Guide

Section: "Overview of a blue/green deployment").

3. AWS CodePipeline User Guide: "You can add a test action that uses AWS CodeBuild... to your pipeline. A common use for a test action is to run unit tests on your source code." (AWS CodePipeline User Guide

Section: "Add a test action").

4. AWS Whitepaper - Practicing Continuous Integration and Continuous Delivery on AWS: "AWS CodeDeploy supports blue/green deployments. This deployment strategy helps you minimize downtime... You can also monitor the new application version and roll back the deployment if you encounter any issues." (AWS Whitepapers & Guides

"Practicing Continuous Integration and Continuous Delivery on AWS"

Page 21).

The most cost-effective solution is to establish five distinct inter-region VPC peering connections. Each of the five VPCs in the us-east-2 Region will be directly peered with the single VPC in the eu-west-1 Region. VPC peering is highly cost-effective as it does not incur hourly charges for the connection or data processing fees, which are characteristic of AWS Transit Gateway. The only cost associated with VPC peering is for the data transferred between the regions. This model precisely fulfills the connectivity requirements without the fixed operational costs of a more complex hub-and-spoke architecture using Transit Gateway, making it the most economical choice for this specific scenario.

A. An AWS Transit Gateway is a regional resource. It is not technically possible to attach a VPC from one region (us-east-2) directly to a Transit Gateway located in another region (eu-west-1).

B. While technically sound, this solution is not the most cost-effective. It requires two Transit Gateways and six attachments, all of which have hourly costs, in addition to data processing fees per gigabyte, making it more expensive than VPC peering.

C. A full mesh configuration is unnecessarily complex for this requirement. It would involve creating 15 peering connections, leading to significant management overhead and providing unneeded connectivity between the US-based VPCs.

1. AWS Documentation - What is VPC peering?: This document states

"A VPC peering connection is a networking connection between two VPCs... The VPCs can be in different Regions (also known as an inter-Region VPC peering connection)." It also clarifies that there are no gateway or VPN connection dependencies

highlighting its simpler cost structure.

Source: AWS VPC User Guide

"What is VPC peering?"

https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

2. AWS Transit Gateway Pricing: The official pricing page clearly shows that Transit Gateway has an hourly charge for each VPC attachment and a per-GB charge for data processing. In contrast

the Amazon VPC pricing page shows no such charges for VPC peering

only for inter-region data transfer.

Source: AWS Transit Gateway Pricing

https://aws.amazon.com/transit-gateway/pricing/

3. AWS Documentation - How transit gateways work: This document confirms the regional nature of Transit Gateways. "A transit gateway is a regional resource and can connect VPCs in the same Region." This directly invalidates option A.

Source: AWS VPC Transit Gateways Guide

"How transit gateways work"

https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

4. AWS Whitepaper - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure: This paper compares connectivity options. In the "VPC-to-VPC connectivity" section

it notes

"For a small number of VPCs

VPC peering is a very cost-effective way to provide... connectivity." This supports the choice of VPC peering as the most cost-effective solution for the scale described in the question.

Source: AWS Whitepapers & Guides

"VPC-to-VPC connectivity"

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html

This solution outlines a standard, best-practice approach for a heterogeneous, cross-account database migration with minimal downtime. First, the target database instance (RDS for PostgreSQL) is created, and its schema is prepared using the AWS Schema Conversion Tool (SCT), which is designed for heterogeneous migrations (Option A). Second, secure, private network connectivity is established between the source and target VPCs across the two AWS accounts using VPC Peering and correctly configured security groups (Option C). Finally, AWS Database Migration Service (DMS) is used with a "Full load + change data capture (CDC)" task to migrate all existing data and replicate ongoing changes, ensuring the target stays in sync. The cutover is then performed by updating the Route 53 CNAME record, achieving a near-zero downtime migration (Option E).

B: The AWS Schema Conversion Tool (SCT) does not create RDS DB instances; it converts and applies the schema to an existing target database. Data migration is the primary role of AWS DMS.

D: Making the source database publicly accessible is a significant security risk and an anti-pattern. VPC peering is the secure and recommended method for establishing private connectivity between VPCs.

F: A change data capture (CDC) only migration task is insufficient as it would not migrate the existing data. A "Full load + CDC" task is required to migrate all existing data and then replicate ongoing changes.

References:

1. AWS Database Migration Service Documentation - Best practices for AWS Database Migration Service: "For a heterogeneous migration, you first use the AWS Schema Conversion Tool (AWS SCT) to convert your source schema to the target format. After you convert your schema, you can use AWS DMS to migrate your data." This supports the sequence in options A and E.

Source: AWS Database Migration Service User Guide, "Best practices for AWS Database Migration Service," section "Heterogeneous database migration."

2. AWS Database Migration Service Documentation - Creating a task: "Full load, ongoing replication — AWS DMS first loads existing data from the source to the target. After the full load is complete, ongoing changes are replicated to the target. This process is also called change data capture (CDC)." This supports the choice of a "Full load + CDC" task in option E for minimal downtime.

Source: AWS Database Migration Service User Guide, "Working with AWS DMS tasks," section "Creating a task."

3. AWS Documentation - What is VPC peering?: "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses... You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account." This supports using VPC peering for cross-account connectivity as described in option C.

Source: Amazon VPC User Guide, "VPC peering," section "What is VPC peering?"

4. AWS Database Migration Service Documentation - Using an Amazon RDS DB instance as a source for AWS DMS: "The security group used by the source RDS DB instance must allow incoming traffic from the DMS replication instance... If the replication instance and the source database are in different VPCs, you can use VPC peering." This directly validates the networking approach in option C.

Source: AWS Database Migration Service User Guide, "Sources for data migration," section "Using an Amazon RDS DB instance as a source for AWS DMS."

This solution addresses two distinct requirements cost-effectively using a single Direct Connect connection.

First, to provide on-premises access to VPCs in multiple AWS Regions, a Direct Connect gateway is the optimal solution. It is a global resource that allows a single Direct Connect connection to be associated with Virtual Private Gateways (VGWs) in any AWS Region (except China). This avoids the high cost and complexity of provisioning separate Direct Connect connections for each Region.

Second, to provide on-premises access to AWS public services (like Amazon S3 or Amazon DynamoDB) over the private network connection, a public virtual interface (VIF) is required. A public VIF advertises AWS's public IP prefixes over the Direct Connect connection, routing traffic to these services through the private link instead of the public internet.

B: Setting up additional Direct Connect connections is significantly more expensive than using a Direct Connect gateway and is not the least-cost solution.

C: Establishing a Site-to-Site VPN over a private VIF is not a standard or valid architecture for extending connectivity to other VPCs in this context.

D: Using a VPN over a public VIF to connect to VPCs is an unnecessarily complex and less efficient method compared to a Direct Connect gateway.

F: While VPC peering connects the VPCs, routing on-premises traffic through one VPC to reach others is less efficient and scalable than using a Direct Connect gateway.

1. AWS Documentation - Direct Connect gateways: "A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any Region and access it from all other Regions. You can associate the Direct Connect gateway with a virtual private gateway for a VPC. You can then create a private virtual interface for your Direct Connect connection to the Direct Connect gateway." This supports using a DX gateway for multi-region VPC access. (Source: AWS Documentation

Direct Connect User Guide

"Direct Connect gateways").

2. AWS Documentation - Direct Connect virtual interfaces: "Public virtual interface: A public virtual interface enables you to connect to all AWS public IP addresses." This supports using a public VIF for accessing AWS public services. (Source: AWS Documentation

Direct Connect User Guide

"Direct Connect virtual interfaces").

3. AWS Documentation - Working with Direct Connect gateways: "After you create the Direct Connect gateway

you can associate it with the virtual private gateways for your VPCs... A Direct Connect gateway supports communication between its attached private virtual interfaces and associated virtual private gateways." This confirms the architecture described in option A. (Source: AWS Documentation

Direct Connect User Guide

"Working with Direct Connect gateways").