Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 137 discussion

D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1. Customer Managed KMS Key: Encrypting secrets in us-east-1 with a customer managed KMS key allows greater control over key rotation policies and permissions, ensuring higher security and compliance. Replication of secrets to us-west-1: Replicating the secrets to us-west-1 ensures that the secrets are available in both regions, meeting the requirement to function even if only one region is available. Using the same customer managed KMS key in us-west-1: Encrypting the secrets in us-west-1 using the KMS key from us-east-1 ensures consistency in encryption and secret management across regions. Additionally, this can help minimize latency, as the same key is used for both regions, making the replication process more efficient.

A is correct, the key point is availability is case one region is down.

D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1. A. is incorrect Using AWS-managed KMS keys for encryption would not allow you to have control over the keys across regions. Secrets in us-west-1 would use a different key, which could complicate key management and does not fulfill the requirement of using the same encryption key for replication.

Right answer is A as this the only technically possible option which fulfills the requirement. "For Encryption key, choose a KMS key to encrypt the secret with. The key must be in the replica Region." https://docs.aws.amazon.com/secretsmanager/latest/userguide/replicate-secrets.html

Not A& B. AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

KMS key must be in the replica region.

A . KMS has regional service.

I go for D Not option A because separate keys, "Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1"

Option A is the right one.

I guess A - becuase solution must work even if us-east-1 will-be unavaliable, so we must use encryption key from us-west-1 too

Secrets are replicated to both regions, minimizing latency and ensuring availability. Using the same KMS key ensures consistent access control and simplifies management.

My answer is B Encrypt the secrets in us-east-1 by using an AWS managed KMS key: Create an AWS managed KMS key in the us-east-1 Region. This key will be used to encrypt the secrets in both Regions. Use this key to encrypt the secrets in us-east-1. Replicate the secrets to us-west-1: Use the AWS Secrets Manager to replicate the encrypted secrets from us-east-1 to us-west-1. This ensures that the same secrets are available in both Regions. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1: Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1 to retrieve the encrypted secrets. This allows the resources in us-west-1 to access the secrets without having to replicate the secrets to us-west-1.

A. "The solution must minimize latency and must be able to work if only one Region is available." A is the only solution that can work if one region is down.

A is correct

D A. Separate KMS Keys: Using separate managed KMS keys per Region creates a dependency on both Regions being available for decryption. If only one Region is accessible, the other Region's key wouldn't be usable. B & C. Secrets Manager Endpoint in us-east-1: These options rely on resources in us-west-1 calling the Secrets Manager endpoint in us-east-1. This introduces a single point of failure in us-east-1 and wouldn't achieve the desired redundancy and availability if us-east-1 becomes unavailable