A company will store data in Amazon S3 buckets in two AWS Regions and must use an AWS KMS customer managed key to encrypt all data in those S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key, and both the data and the key must be stored in each of the two Regions. Which solution meets these requirements with the LEAST operational overhead?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a customer managed multi-Region KMS key, create an S3 bucket in each Region, configure replication between the S3 buckets, and configure the application to use the KMS key with client-side encryption..
Why this is the answer
The correct answer is to create a customer managed multi-Region KMS key, create an S3 bucket in each Region, configure replication between the S3 buckets, and configure the application to use the KMS key with client-side encryption. This is the only option that directly addresses the requirement for the same KMS key to encrypt and decrypt data in both regions, while also ensuring the key is present in both regions. Multi-Region KMS keys are designed for this exact scenario, allowing a single logical key to be replicated and used across multiple regions. Client-side encryption ensures the application handles the encryption/decryption using the specified KMS key, meeting the "same KMS key" requirement. The other options are incorrect because: Using SSE-S3 does not involve a customer managed key. Using SSE-KMS with standard customer managed keys would require separate keys in each region, not the "same" key across regions. Configuring replication between S3 buckets is necessary but doesn't solve the KMS key requirement by itself.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed