AWS Certified Security – Specialty — Question 451

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Answer options

• A. Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.
• B. Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.
• C. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1as the principal.
• D. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1 :* as the principal.

Correct answer: B

Explanation

Because AWS KMS keys are region-specific, you cannot use a KMS key from us-east-1 to encrypt a resource in us-west-1. To copy an encrypted DB snapshot to another region, you must specify a customer managed KMS key that exists in the destination region to encrypt the copy. AWS Secrets Manager cannot be used to store or export KMS keys for this purpose, and IAM policies cannot grant cross-region access to use a key local to another region for regional service encryption.