AWS Certified Security – Specialty — Question 21

An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

Answer options

• A. Copy the application's AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
• B. Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
• C. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.
• D. Configure the target region's AWS service to communicate with the source region's AWS KMS so that it can decrypt the resource in the target region.

Correct answer: C

Explanation

The correct answer is C because it describes the process of using AWS services that replicate data across regions while ensuring that the data encryption key is re-wrapped with the CMK from the target region. Option A is incorrect as simply copying the CMK does not facilitate decryption of already encrypted resources. Option B is not feasible since AWS KMS does not support automatic synchronization of CMKs across regions. Option D is also incorrect, as direct communication with the source region's KMS for decryption is not supported.