MemberOctober 6, 2020 at 10:41 am
This is in regard to the explanation on the following question:
A Security Engineer is tasked to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS. The CMK will also be used to encrypt and decrypt log files for multiple accounts across all regions.
Which of the following is the MOST efficient way to accomplish this?
1)Enable log file integrity validation that automatically encrypts the AWS CloudTrail logs using a Customer Master Key (CMK) from AWS KMS.
2)Use server-side encryption with AWS KMS–managed keys (SSE-KMS) for the CloudTrail log files.
3)Do nothing since there is already a default Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3) applied to the CloudTrail log files.
4)Use Encrypt API from AWS KMS to directly encrypt all log files in AWS CloudTrail every time it is created.
In the explanation it states “You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.” but later on also says “The CMK that you choose must be created in the same AWS Region as the Amazon S3 bucket that receives your log files”
Could someone clarify how you can use the CMK across regions but also need the CMK and bucket to be in the same region? Is there something I’m not understanding or mixing up?
MemberOctober 7, 2020 at 10:15 am
Thanks for the feedback.
I’ve tried performing this experiment. Based on what I’ve encountered, the statement “The CMK that you choose must be created in the same AWS Region as the Amazon S3 bucket that receives your log files” this means that the created CMK (example: N.Virginia) in AWS KMS must be in the same region as the S3 bucket (N.Virginia) that will be used to store the logs. I’ve also tried creating a new S3 bucket (Region: Singapore) and the CMK that I created in AWS KMS (N.Virginia) can’t be used for the S3 bucket in Singapore.
For your question, “how you can use the CMK across regions but also need the CMK and bucket to be in the same region” I think AWS Encryption SDK can help you. Based on the AWS Documentation:
“For example, you can encrypt data under multiple AWS Key Management Service (AWS KMS) customer master keys (CMKs), each in a different AWS Region. Then you can copy the encrypted data to any of the regions and use the CMK in that region to decrypt it. You can also encrypt data under a CMK in AWS KMS and a master key in an on-premises HSM, enabling you to later decrypt the data even if one of the options is unavailable.”
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!
Gerome @ Tutorials Dojo
Log in to reply.