migrationSAA-C03SAP-C02DEA-C01DOP-C02SCS-C02+1 more

AWS DMS: The Database Migration Maestro

Migrate databases to AWS with minimal downtime — homogeneous or heterogeneous, on-premises or cloud-to-cloud.

Updated 2026-02-22

Overview

AWS Database Migration Service (DMS) enables fast, secure, and reliable migration of relational databases, data warehouses, NoSQL databases, and other data stores to AWS. It supports both homogeneous migrations (e.g., Oracle to Oracle) and heterogeneous migrations (e.g., Oracle to Aurora PostgreSQL), with continuous data replication to minimize downtime. DMS keeps the source database fully operational during migration, making it ideal for production workloads that cannot afford extended maintenance windows.

Continuously replicate and migrate database workloads to AWS with minimal disruption to production systems, supporting one-time full loads, ongoing CDC (Change Data Capture), or both simultaneously.

Use When

Migrating on-premises relational databases (Oracle, SQL Server, MySQL, PostgreSQL) to AWS-managed services like RDS or Aurora with minimal downtime using CDC.
Heterogeneous schema conversion migrations where source and target engines differ (e.g., Oracle to Aurora PostgreSQL) — used alongside AWS SCT for schema conversion.
Continuous database replication for disaster recovery, cross-region replication, or keeping a dev/test environment in sync with production.
Migrating data warehouses to Amazon Redshift from sources like Teradata, Oracle, or SQL Server, optionally using S3 as an intermediate staging area.
Streaming database changes into Amazon Kinesis Data Streams or Amazon Kafka (MSK) for real-time event-driven architectures using DMS as a CDC source.

Avoid When

When migrating entire server workloads (OS, applications, middleware) — use AWS Application Migration Service (MGN) instead; DMS is database-layer only.
When the source database schema is highly complex and requires significant transformation logic beyond column mapping — AWS Glue ETL or custom ETL pipelines may be more appropriate for heavy transformation workloads.
When you need to migrate unstructured file data or object storage — use AWS DataSync or S3 Transfer Acceleration instead; DMS is not designed for file-based migrations.
When the total migration is a one-time bulk export/import of a small, static dataset with no ongoing replication need — native database export/import tools (pg_dump, mysqldump, RMAN) may be simpler and cheaper.

Key Features

Full Load Migration

Migrates all existing data from source to target in bulk. Can run standalone or combined with CDC.

Change Data Capture (CDC)

Continuously replicates ongoing changes after full load using transaction logs. Enables near-zero downtime cutover.

Full Load + CDC (combined mode)

Most common production migration pattern: full load first, then CDC to keep target in sync until cutover.

Multi-AZ Replication Instance

Provisions a standby replica in a different AZ for automatic failover. Adds cost but recommended for production migrations.

DMS Serverless

Auto-scales capacity (DCUs) based on workload. No replication instance management. Ideal for variable or unpredictable workloads.

Encryption at Rest (replication instance storage)

Uses AWS KMS to encrypt replication instance storage. Enabled at instance creation — cannot be changed post-creation.

Encryption in Transit (SSL/TLS)

Supports SSL between DMS and source/target endpoints. Certificate management is the customer's responsibility for custom CAs.

AWS Secrets Manager integration

DMS can retrieve endpoint credentials from Secrets Manager instead of storing them in plaintext in the DMS endpoint configuration.

AWS KMS integration

KMS CMKs used for encrypting replication instance storage and DMS task logs. Supports both AWS-managed and customer-managed keys.

CloudWatch Metrics & Alarms

DMS publishes task-level metrics (CDCLatencySource, CDCLatencyTarget, FullLoadThroughputRowsSource) to CloudWatch for monitoring.

CloudTrail Logging

All DMS API calls (CreateReplicationTask, StartReplicationTask, etc.) are logged in CloudTrail for audit and governance.

Event Notifications (SNS)

DMS can send event notifications to SNS topics for task state changes, instance events, and endpoint test failures.

DMS Fleet Advisor

Discovers on-premises database inventory and recommends migration targets. Integrates with DMS Schema Conversion for assessment.

Table Mapping & Transformation Rules

JSON-based rules to filter tables, rename schemas/tables/columns, add columns, or convert data types during migration.

LOB (Large Object) Support

Three modes: Limited LOB (truncate to max size), Full LOB (complete, slower), Inline LOB (optimized for small LOBs).

Homogeneous Migration Support

MySQL to RDS MySQL, Oracle to RDS Oracle, etc. Schema conversion not required — DMS handles data movement directly.

Heterogeneous Migration Support

Requires AWS SCT for schema/code conversion. DMS handles the data movement after schema is converted.

VPC Endpoint Support (DMS Serverless)

DMS Serverless requires VPC endpoints for private connectivity to AWS services. Internet Gateway is NOT supported for DMS Serverless.

Data Validation

DMS can validate that data was migrated accurately by comparing source and target row counts and checksums. Adds overhead but critical for compliance migrations.

Premigration Assessment

Runs automated checks before migration to identify potential issues (unsupported data types, missing permissions, etc.).

Integration Patterns

Heterogeneous Database Migration

high freq

AWS DMSAWS SCT

AWS SCT converts the source schema (DDL, stored procedures, views, triggers) to the target engine's syntax. DMS then handles the actual data migration (full load + CDC). SCT is run first, DMS second. SCT is a client-side tool — it runs on your workstation or EC2 instance, not as a managed service.

Encryption of Replication Instance Storage and Task Logs

high freq

AWS DMSAWS KMS

KMS CMKs (customer-managed keys) encrypt data at rest on the DMS replication instance storage and DMS task logs. The key must be specified at replication instance creation — it cannot be changed after creation. For compliance-sensitive migrations, always use a customer-managed KMS key rather than the AWS-managed DMS key.

Secure Endpoint Credential Management

high freq

AWS DMSAWS Secrets Manager

Instead of embedding database usernames and passwords directly in DMS endpoint configurations (which stores them encrypted in DMS metadata), DMS can reference a Secrets Manager secret ARN. DMS retrieves credentials dynamically at runtime. This supports automatic secret rotation without updating DMS endpoint configurations manually.

Migration Audit and Compliance Logging

high freq

AWS DMSAWS CloudTrail

All DMS control-plane API calls (creating tasks, modifying endpoints, starting/stopping tasks) are captured in CloudTrail. For regulated industries (HIPAA, PCI-DSS), CloudTrail provides the audit trail of who initiated migrations, when, and with what parameters. CloudTrail does NOT log the actual data being migrated — only the API actions.

Private Network Migration (DMS Serverless)

high freq

AWS DMSAmazon VPCAWS PrivateLink

DMS Serverless has no public IP and must communicate with source and target endpoints through private network paths. VPC endpoints (Interface Endpoints via PrivateLink) are required for DMS Serverless to reach AWS services like Secrets Manager, KMS, S3, and CloudWatch without traversing the public internet. An Internet Gateway alone is NOT sufficient.

Real-Time CDC Streaming to Downstream Consumers

medium freq

AWS DMSAmazon Kinesis Data Streams

DMS can use Kinesis Data Streams as a target endpoint, streaming database change events (inserts, updates, deletes) in near-real-time. Downstream consumers (Lambda, Kinesis Data Analytics, Kinesis Firehose) process the change stream for use cases like real-time analytics, cache invalidation, or event-driven microservices.

S3 as Migration Staging and Data Lake Target

medium freq

AWS DMSAmazon S3

DMS can write migrated data to S3 in CSV or Parquet format. This is used as a staging area before loading into Redshift (via COPY command), as a data lake target, or for archival of database snapshots. S3 can also be a DMS SOURCE for loading flat-file data into relational databases.

Data Warehouse Migration

medium freq

AWS DMSAmazon Redshift

DMS migrates OLTP data or entire data warehouse schemas to Amazon Redshift. DMS uses S3 as an intermediate staging area when writing to Redshift (data is staged in S3, then bulk-loaded via COPY). AWS SCT handles the DDL conversion from source warehouse schemas (Teradata, Oracle DW, SQL Server) to Redshift-compatible SQL.

Event-Driven Migration Orchestration

medium freq

AWS DMSAWS Lambda

Lambda functions triggered by DMS SNS event notifications can automate migration workflows: automatically starting CDC after full load completes, sending Slack/PagerDuty alerts on task failure, triggering post-migration validation scripts, or updating DNS/connection strings after cutover.

Service Limits & Quotas

LimitValueNote

Replication instance storage (minimum)

50 GB GB

Candidates confuse replication instance storage with the target database storage — these are independent. The replication instance needs storage for cached transactions, not the full dataset.

Maximum LOB (Large Object) size supported

Configurable; unlimited LOB mode supported but impacts performance

Many candidates assume DMS cannot handle LOBs at all — it can, but performance degrades significantly in Full LOB mode.

Number of tasks per replication instance

No hard documented limit per instance, but practical limit based on instance class vCPUs and memory

There is no single published numeric limit per instance in current docs — exam questions focus on the architectural pattern of scaling out instances, not a specific number.

DMS Serverless — Maximum DCUs (DMS Capacity Units)

Up to 128 DCUs maximum per serverless replication DCUs

DMS Serverless DCUs are different from traditional replication instance classes (dms.t3.medium, dms.r5.large, etc.). Do not conflate the two sizing models.

Supported source endpoints

Oracle, SQL Server, MySQL, MariaDB, PostgreSQL, SAP ASE, MongoDB, Amazon Aurora, Amazon S3, IBM Db2, Azure SQL, Google Cloud SQL, and more

DynamoDB is a TARGET only in DMS — it cannot be used as a DMS source endpoint. This is a frequent exam trap.

Supported target endpoints

Amazon RDS, Aurora, Redshift, DynamoDB, S3, OpenSearch, Kinesis Data Streams, MSK (Kafka), Neptune, DocumentDB, and more

OpenSearch (Elasticsearch) is a DMS target — useful for search use cases. Candidates often forget non-relational targets like Neptune and OpenSearch are supported.

Multi-AZ replication instance failover time

Typically within seconds to a few minutes (automatic failover to standby)

Multi-AZ for DMS replication instances is NOT the same as Multi-AZ for RDS. The DMS standby does not serve read traffic — it is purely for HA failover.

DMS Schema Conversion (built-in) vs AWS SCT

DMS now includes built-in schema conversion for common migrations; AWS SCT is a separate downloadable tool for complex heterogeneous conversions

AWS re:Invent 2022+ introduced DMS Fleet Advisor and built-in schema conversion — do not assume AWS SCT is always required for every heterogeneous migration in newer exam versions.

CDC (Change Data Capture) log retention requirement

Source database must retain transaction logs long enough for DMS to read them; minimum recommended is 24 hours for most engines

For Oracle sources, Supplemental Logging must be enabled. For SQL Server, MS-CDC or MS-Replication must be enabled. Missing these prerequisites is a common real-world and exam failure point.

DMS Serverless — private connectivity

DMS Serverless does NOT have a public IP address; requires VPC endpoints or AWS PrivateLink for private connectivity

Standard DMS replication instances CAN be deployed in a public subnet with a public IP. DMS Serverless CANNOT. This distinction is heavily tested.

Pricing Model

Pay-per-use based on replication instance hours (standard) or DCU-hours (serverless) plus storage and data transfer costs.

Standard DMS: Billed per replication instance hour based on instance class (e.g., dms.t3.medium, dms.r5.large). Multi-AZ doubles the instance cost.
DMS Serverless: Billed per DCU-hour consumed (auto-scaled). You pay only for actual capacity used — no idle instance costs.
Replication instance storage: Billed per GB-month for the allocated storage on the replication instance (minimum 50 GB).
Data transfer: Standard AWS data transfer charges apply for data leaving a region. Intra-region data transfer between DMS and target (e.g., RDS in same region) is typically free.
AWS SCT is a FREE downloadable tool — no additional charge for schema conversion assessment or conversion itself.
DMS Fleet Advisor: No additional charge — included with DMS. Costs are for the DMS infrastructure used during discovery.
Free Tier: DMS replication instances of type dms.t2.micro or dms.t3.micro are included in the AWS Free Tier for 750 hours/month for the first 12 months.
Data validation adds compute overhead on the replication instance — factor this into instance sizing and cost estimates.

Exam Tips

criticalEncryption at rest vs. in transit, KMS integration

DMS encrypts data at rest (replication instance storage) AND in transit (SSL/TLS to endpoints). Both must be explicitly configured — neither is on by default for all scenarios. Exam questions that say 'DMS only encrypts data in transit' are WRONG.

criticalDMS Serverless networking, VPC endpoints, PrivateLink

DMS Serverless does NOT have a public IP address. It operates entirely within your VPC. To connect DMS Serverless to AWS services (KMS, Secrets Manager, S3), you MUST use VPC Interface Endpoints (PrivateLink). An Internet Gateway cannot substitute — this is a top exam trap.

criticalHeterogeneous migration, AWS SCT vs DMS roles

For heterogeneous migrations (different source and target database engines), the workflow is ALWAYS: (1) Use AWS SCT to convert schema/code objects, (2) Apply converted schema to target, (3) Use DMS to migrate data (full load + CDC). SCT handles schema; DMS handles data. Never use DMS alone for heterogeneous schema conversion.

criticalDMS supported source endpoints

DynamoDB can ONLY be a TARGET in DMS — it is NOT a supported source endpoint. If an exam question asks about migrating FROM DynamoDB to another database using DMS, that is incorrect. Use DynamoDB Streams + Lambda or AWS Glue for DynamoDB-as-source scenarios.

criticalKMS, replication instance encryption immutability

KMS encryption on a DMS replication instance is set at CREATION TIME and cannot be modified afterward. If you need to change the KMS key, you must create a new replication instance. This matters for compliance scenarios where you need to switch from an AWS-managed key to a customer-managed key.

critical

DMS encrypts BOTH at rest (KMS on replication instance storage + logs) AND in transit (SSL/TLS). Neither is automatic for all scenarios — both must be explicitly configured. 'DMS only encrypts in transit' is always WRONG.

critical

DMS Serverless has NO public IP — requires VPC Interface Endpoints (PrivateLink) for connectivity to AWS services. An Internet Gateway CANNOT substitute. Standard DMS instances CAN use public IPs. Know the difference.

critical

Heterogeneous migrations REQUIRE AWS SCT for schema conversion FIRST, then DMS for data migration. DMS alone cannot convert Oracle PL/SQL to PostgreSQL. SCT is FREE. Order: SCT converts schema → DMS moves data.

importantCloudTrail, DMS audit logging

CloudTrail logs DMS API ACTIONS (control plane), NOT the actual data being migrated (data plane). For data-level auditing of what records changed, use DMS task logs in CloudWatch or enable data validation. This distinction appears in security and compliance exam questions.

importantCDC prerequisites, transaction log requirements

For CDC to work, the source database must have transaction logging enabled with sufficient retention: Oracle needs Supplemental Logging (ALL COLUMNS recommended), SQL Server needs MS-CDC or MS-Replication enabled, MySQL/Aurora MySQL needs binary logging (binlog_format=ROW). Missing these prerequisites causes CDC task failures.

importantMulti-AZ, high availability vs. read scaling

Multi-AZ DMS replication instances provide HIGH AVAILABILITY (failover), NOT read scaling. The standby instance is passive and does not process tasks — it only takes over if the primary fails. Do not confuse with RDS Multi-AZ or Aurora read replicas.

importantAWS SCT pricing, migration assessment

AWS SCT is a FREE downloadable desktop/EC2 application — it is NOT a managed AWS service and has NO per-use charge. It generates a database migration assessment report showing the percentage of code that can be auto-converted vs. requires manual effort. This report is a key input for migration planning questions.

importantCDC streaming, Kinesis, MSK, event-driven architecture

DMS can write CDC events to Amazon Kinesis Data Streams or Amazon MSK (Kafka) as targets. This enables real-time event streaming from relational databases without application changes — a key pattern for modernization questions on SAP-C02 and DEA-C01.

importantSecrets Manager, credential rotation, endpoint security

DMS Secrets Manager integration allows endpoint credentials to be stored and rotated in Secrets Manager without updating DMS endpoint configurations. The DMS IAM role must have secretsmanager:GetSecretValue permission. This is the recommended approach for production migrations where credentials rotate regularly.

Good to KnowRedshift migration, S3 staging, IAM permissions

When migrating to Amazon Redshift, DMS uses Amazon S3 as an intermediate staging area automatically. Data is written to S3 first, then bulk-loaded into Redshift using the COPY command. This is done internally by DMS — you do not need to manage this manually, but you DO need to ensure the DMS replication instance has IAM permissions to write to the staging S3 bucket.

Common Misconceptions & Traps

Common Mistake

DMS only encrypts data in transit (SSL/TLS) — data at rest on the replication instance is not encrypted.

Correct

DMS supports BOTH encryption in transit (SSL/TLS between DMS and endpoints) AND encryption at rest (KMS encryption of replication instance storage and task logs). Both must be explicitly configured. Encryption at rest is set at replication instance creation using a KMS key and cannot be changed afterward.

This is the #1 DMS security misconception on exams. Questions about DMS encryption compliance will specifically test whether you know both layers exist. Remember: DMS has TWO encryption surfaces — the wire (SSL) and the disk (KMS). Compliance scenarios requiring encryption at rest must use a KMS-encrypted replication instance.

Common Mistake

DMS Serverless has a public IP address just like standard DMS replication instances, so you can use an Internet Gateway for connectivity.

Correct

DMS Serverless operates entirely within your VPC and has NO public IP address. It cannot use an Internet Gateway for outbound connectivity to AWS services. You MUST configure VPC Interface Endpoints (AWS PrivateLink) for DMS Serverless to reach services like Secrets Manager, KMS, S3, and CloudWatch Logs. Standard DMS replication instances CAN have public IPs when deployed in public subnets — DMS Serverless cannot.

This distinction is specifically called out in exam question banks. The trap is assuming DMS Serverless behaves like standard DMS for networking. Remember: Serverless = VPC-only, no public IP, VPC endpoints required. Standard = can be public or private subnet.

Common Mistake

AWS DMS handles both schema conversion AND data migration for heterogeneous migrations (e.g., Oracle to Aurora PostgreSQL).

Correct

DMS handles DATA migration only. For heterogeneous migrations, AWS Schema Conversion Tool (SCT) is required to convert the database schema, stored procedures, functions, triggers, and views from the source engine's syntax to the target engine's syntax. The correct order is: SCT converts schema → Apply converted schema to target → DMS migrates data (full load + CDC).

This misconception causes candidates to select DMS-only answers for heterogeneous migration scenarios. The key differentiator: if the question mentions different source and target database engines AND asks about schema/code conversion, SCT is required. DMS alone cannot convert Oracle PL/SQL to PostgreSQL PL/pgSQL.

Common Mistake

DMS task logs and metadata are NOT encrypted — only the data being migrated is encrypted.

Correct

DMS task logs (stored on the replication instance and optionally in CloudWatch Logs) ARE encrypted using KMS when the replication instance has encryption at rest enabled. The KMS key specified at replication instance creation encrypts ALL data on that instance's storage, including task logs, cached transactions, and intermediate data — not just the migrated data.

Exam questions specifically test whether candidates know that DMS KMS encryption covers logs and metadata, not just the migrated data payload. This matters for compliance frameworks that require encryption of all data at rest, including operational logs.

Common Mistake

You can use DMS to migrate FROM DynamoDB to a relational database.

Correct

DynamoDB is a SUPPORTED TARGET in DMS but is NOT a supported source endpoint. You cannot use DMS to read change data from DynamoDB. For DynamoDB-as-source scenarios, use DynamoDB Streams combined with AWS Lambda or AWS Glue to export and transform data.

This is a classic endpoint confusion trap. DMS supports many sources and targets, but they are NOT symmetric — not every target can be a source and vice versa. Always verify directionality: DynamoDB = target only, S3 = both source and target, Kinesis = target only.

Common Mistake

Server-side encryption (SSE) configured on the S3 target bucket is the same as DMS encryption — enabling SSE on S3 means DMS data is encrypted.

Correct

SSE on S3 encrypts data AFTER it arrives in S3 (at the S3 layer). DMS replication instance encryption at rest (KMS) encrypts data ON THE REPLICATION INSTANCE during processing. These are separate encryption layers at different points in the data flow. For end-to-end encryption, you need: SSL in transit (DMS ↔ endpoints) + KMS on replication instance (at rest during processing) + SSE on target S3 bucket (at rest in S3).

Confusing server-side encryption with client-side/in-transit encryption is a broad AWS exam trap, and DMS questions specifically test this for migration scenarios. Remember: encryption is layered — each hop in the data flow has its own encryption consideration.

Memory Tricks

🧠

DMS = Data Moves Securely: D=Data migration, M=Minimal downtime via CDC, S=Schema conversion needs SCT (not DMS alone)

🧠

For DMS encryption, remember 'WIRE + DISK': WIRE = SSL/TLS in transit, DISK = KMS at rest on replication instance. Both are needed for full compliance.

🧠

DMS Serverless = 'No IP, No IGW, Need VPC Endpoints' — Serverless has NO public IP, so Internet Gateway won't help; you NEED VPC Interface Endpoints.

🧠

DynamoDB direction: DMS can DELIVER TO DynamoDB (target only) but cannot DRAW FROM DynamoDB (not a source). D-D = Deliver to DynamoDB.

🧠

SCT before DMS: 'Schema Converts Then Data Moves' — SCT handles schema conversion FIRST, then DMS moves the data. Never skip SCT for heterogeneous migrations.

🧠

CDC prerequisites by engine: Oracle=Supplemental Logging, SQL Server=MS-CDC, MySQL=binlog ROW format. Remember 'O-S-M' = Oracle-SQLServer-MySQL, each needs its own log config.

CertAI Tutor · SAA-C03, SAP-C02, DEA-C01, DOP-C02, SCS-C02, CLF-C02 · 2026-02-22

Ready to test your knowledge?

Practice SAA-C03, SAP-C02, DEA-C01, DOP-C02, SCS-C02, CLF-C02 exam questions with AI-powered explanations — free to start.

AWS DMS: The Database Migration Maestro

Overview

Key Features

Integration Patterns

Service Limits & Quotas

Pricing Model

Exam Tips

Common Misconceptions & Traps

Memory Tricks

Ready to test your knowledge?

Related Cheat Sheets