Exam AWS Certified Database - Specialty topic 1 question 14 discussion

I think C If you want to enable cross-Region snapshot copy for an AWS KMS–encrypted cluster, you must configure a snapshot copy grant for a root key in the destination AWS Region Source-Region : configure a cross-Region snapshot for an AWS KMS–encrypted cluster In Destination AWS Region : choose the AWS Region to which to copy snapshots. https://docs.aws.amazon.com/redshift/latest/mgmt/managing-snapshots-console.html#xregioncopy-kms-encrypted-snapshot

C See https://aws.amazon.com/blogs/big-data/migrate-your-amazon-redshift-cluster-to-another-aws-region/

For encrypted snapshots - configure cross region snapshots and additionally specify a snapshot copy grant which requires a KMS key

C. Enable Amazon Redshift cross-Region snapshots in the source Region, and create a snapshot copy grant and use a KMS key in the destination Region. Here's why this option is the correct choice: Enabling cross-Region snapshots in the source Region is necessary to initiate the snapshot copying process. Creating a snapshot copy grant allows you to define permissions and configurations for copying snapshots to the destination Region. It is an essential step in setting up snapshot replication. Using a KMS key in the destination Region ensures that the copied snapshots are encrypted with a key specific to that Region. This maintains data security during replication.

It*s C: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#configure-snapshot-copy-grant It can't be (A) because when you read the docs it is written "[...] 2. In the SOURCE AWS Region, enable copying of snapshots and ...". B & D is about replication and not copying a snapshot.

The question is about cross-region snapshot copy (read carefully), not about cross-region replication, so B and D are out. From the remaining A and C, I would tend to A because the KMS key is needed from the source, the target only needs a grant on it.

Seek “Copying AWS KMS–encrypted snapshots to another AWS Region” from https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html No need to create IAM role

"To copy snapshots for AWS KMS–encrypted clusters to another AWS Region, create a grant for Amazon Redshift to use a customer managed key in the destination AWS Region. Then choose that grant when you enable copying of snapshots in the source AWS Region." Reference: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html

https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#configure-snapshot-copy-grant

D is correct https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#configure-snapshot-copy-grant

because of this documentation https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html Copying snapshots to another AWS Region article shows c is the answer

The answer is explained here: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#working-with-aws-kms, look for "copying AWS KMS–encrypted snapshots to another AWS Region"

I thought keys are region specific and one will need to be created in the destination region

https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

-A,B,D are incorrect -C new KMS in the destination Region -> snapshot copy grant in the destination Region specifying the new key ->In the source Region, configure cross-Region snapshots for the Amazon Redshift cluster specifying - the destination Region, - the snapshot copy grant, - and retention periods for the snapshot.

Question is poorly written . In absence of true answer C is right. It is right because A,B,D are not correct. You definitely need snapshot copy grant in destination region but based on that region key. Answer C does not say which key.

C is correct ans