Your company requires that S3 objects should be replicated in different AWS regions.
You have an S3 bucket in the ap-southeast-1 region, and its objects are encrypted with AWS Key Management Service (AWS KMS)
How would you configure the Cross-Region Replication (CRR) for the encrypted objects in the S3 bucket?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Option A is incorrect because Cross-Region replication can copy encrypted objects across buckets in different AWS regions.
Option B is incorrect because this is not required as CRR supports AWS-KMS.
Option C is CORRECT because users can choose one or more KMS keys in the replication rule as follows.
Objects encrypted by AWS KMS CMKs that are not selected will not be replicated.
Option D is incorrect because the re-encryption is not required for the Cross-Region replication.
For details, please check the following references.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-replication.html. https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html#crr-scenario.The correct answer is C. In the replication rule, provide the KMS key name for decrypting source objects.
Cross-Region Replication (CRR) is a feature that replicates objects from a source S3 bucket to a destination S3 bucket in a different region. With CRR, you can have a copy of your objects in a different region, which can help you achieve data durability, reduce latency, and meet compliance requirements.
When an S3 object is encrypted with AWS Key Management Service (AWS KMS), the encryption key is managed separately from the S3 bucket. Therefore, when replicating an encrypted object with CRR, the KMS key that was used to encrypt the object must be accessible from the destination region.
To configure CRR for encrypted objects, follow these steps:
By providing the KMS key name or ARN in the replication rule, you allow the destination region to decrypt the encrypted objects using the same KMS key that was used to encrypt them. This ensures that the replicated objects are also encrypted and can only be decrypted by authorized users in the destination region.
Option A is incorrect because encrypted objects can be replicated with CRR as long as the KMS key used for encryption is accessible from the destination region.
Option B is incorrect because modifying the S3 bucket properties to use AES-256 encryption would not help with replicating encrypted objects with CRR. The replication rule still needs the KMS key name or ARN to decrypt the objects in the destination region.
Option D is incorrect because copying a KMS key from the target region to the source region and re-encrypting objects with the new key in the source S3 bucket is not necessary for CRR. The replication rule only needs the KMS key name or ARN to decrypt the objects in the destination region.