An S3 bucket stores a large number of customer data, and all the files need to be replicated in another S3 bucket owned by a different AWS account. Objects in the source S3 bucket are encrypted by a customer-managed key in KMS and replicated objects in the backup bucket should be encrypted by another CMK.
You plan to use an S3 Replication rule for this task. How would you configure the S3 Replication?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect because, by default Amazon S3 doesn't replicate objects that are encrypted with customer master keys (CMKs) stored in AWS KMS.
You need to choose the keys for decrypting source objects in the Replication rule.
Option B is incorrect because you need to configure the keys for decryption and encryption in the S3 Replication rule.
Configuring the IAM role is not enough.
Option C is CORRECT because both the decryption key and encryption key should be identified in the Replication rule.
In terms of the CMK key policy in the destination account, it should allow the source account to use the key.
Option D is incorrect because even if the entire bucket is selected as the source, objects that are encrypted by customer-managed keys are still not replicated by default.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-replication.html.Sure, I'd be happy to provide a detailed explanation of the correct configuration for this scenario!
First, let's break down the requirements:
To accomplish this, we can use an S3 Replication rule. S3 Replication enables you to replicate objects automatically across buckets, regions, or accounts.
Now, let's examine each of the answer options to see which one would be the best approach for this scenario.
Option A: Create a new Replication rule and choose the customer-managed key ID used for the encryption in the destination S3 bucket. S3 Replication automatically handles the decryption in the source S3 bucket.
This option is not correct because it doesn't address the requirement that the replicated objects in the backup bucket should be encrypted with a different CMK. Also, S3 Replication does not handle decryption in the source S3 bucket - decryption needs to be done prior to replication.
Option B: Create a cross-account IAM role in the destination account that has permissions to decrypt/encrypt using the keys. Attach the IAM role in the Replication rule.
This option is a possibility because it addresses the requirement that the objects need to be encrypted with a different CMK. By creating a cross-account IAM role, we can give permissions to the destination account to use the required CMK to encrypt the replicated objects. However, this option doesn't address the fact that the source objects are encrypted with a different CMK, so we still need to handle decryption before replication.
Option C: In the Replication rule, select the KMS key to be allowed to decrypt objects and enter the CMK ARN for the encryption in the destination bucket. Modify the key policy of CMK in the destination account to grant the source bucket owner permissions.
This option is the correct approach. We can create a replication rule that includes a reference to the CMK used to encrypt the source objects and specify a different CMK to use for encryption in the destination bucket. We also need to modify the key policy of the destination CMK to grant permissions to the source bucket owner. By doing this, we can ensure that the source objects are decrypted, encrypted with the correct CMK, and then replicated to the destination bucket.
Option D: In the Replication rule, set the source to be the entire bucket to include all encrypted files. In the destination S3 bucket, enable the default encryption with AWS KMS.
This option is not correct because it doesn't address the requirement that the replicated objects in the backup bucket should be encrypted with a different CMK. Additionally, enabling default encryption with AWS KMS in the destination bucket would encrypt the replicated objects with the same CMK as the source objects, which is not what we want.
In summary, the correct configuration for this scenario is option C. We need to create an S3 Replication rule that includes a reference to the CMK used to encrypt the source objects and specifies a different CMK to use for encryption in the destination bucket. We also need to modify the key policy of the destination CMK to grant permissions to the source bucket owner. By doing this, we can ensure that the source objects are decrypted, encrypted with the correct CMK, and then replicated to the destination bucket.