Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 137 discussion

D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1. Customer Managed KMS Key: Encrypting secrets in us-east-1 with a customer managed KMS key allows greater control over key rotation policies and permissions, ensuring higher security and compliance. Replication of secrets to us-west-1: Replicating the secrets to us-west-1 ensures that the secrets are available in both regions, meeting the requirement to function even if only one region is available. Using the same customer managed KMS key in us-west-1: Encrypting the secrets in us-west-1 using the KMS key from us-east-1 ensures consistency in encryption and secret management across regions. Additionally, this can help minimize latency, as the same key is used for both regions, making the replication process more efficient.

D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1. A. is incorrect Using AWS-managed KMS keys for encryption would not allow you to have control over the keys across regions. Secrets in us-west-1 would use a different key, which could complicate key management and does not fulfill the requirement of using the same encryption key for replication.

Right answer is A as this the only technically possible option which fulfills the requirement. "For Encryption key, choose a KMS key to encrypt the secret with. The key must be in the replica Region." https://docs.aws.amazon.com/secretsmanager/latest/userguide/replicate-secrets.html

Not A& B. AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

KMS key must be in the replica region.

A . KMS has regional service.

I go for D Not option A because separate keys, "Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1"

Option A is the right one.

I guess A - becuase solution must work even if us-east-1 will-be unavaliable, so we must use encryption key from us-west-1 too

A is correct, the key point is availability is case one region is down.

Secrets are replicated to both regions, minimizing latency and ensuring availability. Using the same KMS key ensures consistent access control and simplifies management.

My answer is B Encrypt the secrets in us-east-1 by using an AWS managed KMS key: Create an AWS managed KMS key in the us-east-1 Region. This key will be used to encrypt the secrets in both Regions. Use this key to encrypt the secrets in us-east-1. Replicate the secrets to us-west-1: Use the AWS Secrets Manager to replicate the encrypted secrets from us-east-1 to us-west-1. This ensures that the same secrets are available in both Regions. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1: Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1 to retrieve the encrypted secrets. This allows the resources in us-west-1 to access the secrets without having to replicate the secrets to us-west-1.

A. "The solution must minimize latency and must be able to work if only one Region is available." A is the only solution that can work if one region is down.

A is correct

D A. Separate KMS Keys: Using separate managed KMS keys per Region creates a dependency on both Regions being available for decryption. If only one Region is accessible, the other Region's key wouldn't be usable. B & C. Secrets Manager Endpoint in us-east-1: These options rely on resources in us-west-1 calling the Secrets Manager endpoint in us-east-1. This introduces a single point of failure in us-east-1 and wouldn't achieve the desired redundancy and availability if us-east-1 becomes unavailable