Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?
Copy the application’s AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.
Configure the target region’s AWS service to communicate with the source region’s AWS KMS so that it can decrypt the resource in the target region.
Explanations:
Copying the AWS KMS CMK between regions does not automatically enable decryption across regions. The CMK must be re-wrapped in the target region to allow decryption, making this option invalid.
AWS KMS does not automatically synchronize CMKs between regions. You must manually configure cross-region encryption and key management for multi-region access.
This is the correct approach. By re-wrapping the data encryption key with the CMK in the target region, the data can be decrypted in the new region using the target region’s CMK.
AWS KMS keys are region-specific and cannot be directly accessed across regions. A cross-region decryption would require using a key from the target region, not a direct communication approach.
I evaluate that the answer is:
Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.