How should a database specialist automate the process of backing up the cluster data in compliance with these policies?
Copy the AWS Key Management Service (AWS KMS) customer managed key from the source Region to the destination Region. Set up an AWS Glue job in the source Region to copy the latest snapshot of the Amazon Redshift cluster from the source Region to the destination Region. Use a time-based schedule in AWS Glue to run the job on a daily basis.
Create a new AWS Key Management Service (AWS KMS) customer managed key in the destination Region. Create a snapshot copy grant in the destination Region specifying the new key. In the source Region, configure cross-Region snapshots for the Amazon Redshift cluster specifying the destination Region, the snapshot copy grant, and retention periods for the snapshot.
Copy the AWS Key Management Service (AWS KMS) customer-managed key from the source Region to the destination Region. Create Amazon S3 buckets in each Region using the keys from their respective Regions. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function in the source Region to copy the latest snapshot to the S3 bucket in that Region. Configure S3 Cross-Region Replication to copy the snapshots to the destination Region, specifying the source and destination KMS key IDs in the replication configuration.
Use the same customer-supplied key materials to create a CMK with the same private key in the destination Region. Configure cross-Region snapshots in the source Region targeting the destination Region. Specify the corresponding CMK in the destination Region to encrypt the snapshot.
Explanations:
Copying the AWS KMS customer managed key to the destination Region is not permitted as KMS keys are region-specific and cannot be transferred. Furthermore, AWS Glue jobs are not designed for snapshot management, and relying on Glue for backup snapshots would not align with best practices for Redshift snapshot management.
Creating a new AWS KMS customer managed key in the destination Region is required because KMS keys are region-specific. The snapshot copy grant allows the source cluster to copy snapshots to the destination Region securely using the new key. Configuring cross-Region snapshots ensures that backups are automated and compliant with corporate policy.
Copying KMS keys across Regions is not allowed. The use of S3 for snapshots is not applicable in this context because Redshift snapshots are not directly copied to S3; instead, they are managed within the Redshift service. While S3 Cross-Region Replication is a valid strategy for S3 objects, it does not apply to Redshift snapshots.
While creating a CMK with the same private key is conceptually appealing, AWS KMS does not allow for the direct duplication of CMKs across Regions in this manner. Cross-Region snapshots do require a snapshot copy grant, but using customer-supplied key materials directly for a CMK does not comply with AWS KMS policies.
I estimate that the answer is:
Create a new AWS Key Management Service (AWS KMS) customer managed key in the destination Region. Create a snapshot copy grant in the destination Region specifying the new key. In the source Region, configure cross-Region snapshots for the Amazon Redshift cluster specifying the destination Region, the snapshot copy grant, and retention periods for the snapshot.