Which solution will meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company has an application that uses AWS Key Management Service (AWS KMS) to encrypt and decrypt data.The application stores data in an Amazon S3 bucket in an AWS Region.Company security policies require the data to be encrypted before the data is placed into the S3 bucket.The application must decrypt the data when the application reads files from the S3 bucket.The company replicates the S3 bucket to other Regions.A solutions architect must design a solution so that the application can encrypt and decrypt data across Regions.The application must use the same key to decrypt the data in each Region.

Which solution will meet these requirements?

Create a KMS multi-Region primary key. Use the KMS multi-Region primary key to create a KMS multi-Region replica key in each additional Region where the application is running. Update the application code to use the specific replica key in each Region.

Create a new customer managed KMS key in each additional Region where the application is running. Update the application code to use the specific KMS key in each Region.

Use AWS Private Certificate Authority to create a new certificate authority (CA) in the primary Region. Issue a new private certificate from the CA for the application’s website URL. Share the CA with the additional Regions by using AWS Resource Access Manager (AWS RAM). Update the application code to use the shared CA certificates in each Region.

Use AWS Systems Manager Parameter Store to create a parameter in each additional Region where the application is running. Export the key material from the KMS key in the primary Region. Store the key material in the parameter in each Region. Update the application code to use the key data from the parameter in each Region.

Explanations:

A KMS multi-Region primary key allows the same key to be used across multiple AWS Regions, facilitating the encryption and decryption of data stored in S3. The application can leverage the multi-Region replica key created in each additional region to maintain consistency and security across the regions.

Creating a new customer managed KMS key in each additional region does not meet the requirement of using the same key for encryption and decryption across regions. Each key would be independent, making cross-region data access and decryption complex and insecure.

Using AWS Private Certificate Authority and issuing certificates does not relate to the use of KMS keys for data encryption and decryption. The application requires KMS for handling encryption keys, not certificate management, making this option irrelevant to the problem.

Exporting the key material from a KMS key and storing it in AWS Systems Manager Parameter Store is not recommended due to security concerns. KMS keys are not designed to have their material exported, and this would violate best practices for key management and security. Additionally, it does not fulfill the requirement of using the same key across regions effectively.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + nine =