What should the company do to set up the snapshot in us-west-1 with proper encryption?
Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.
Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.
Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1as the principal.
Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1 :* as the principal.
Explanations:
AWS Secrets Manager is not used to store KMS keys for encryption. KMS keys need to be accessible directly in the target region for the snapshot to be encrypted, not via Secrets Manager.
To copy the snapshot to a new region, the company should create a new customer managed key in the destination region (us-west-1). This key will be used to encrypt the snapshot in the new region.
An IAM policy specifying the region as the principal (arn:aws:kms) is incorrect. KMS keys are region-specific, and the principal should refer to the relevant services or users, not just a region.
This IAM policy is also incorrect because the specified principal arn:aws:rdsis not valid for KMS key access. The KMS permissions need to be granted to the necessary IAM roles or services, not by region-specific RDS principals.
As I recall, the answer is:
Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.