Home › Forums › AWS › AWS Certified Security – Specialty › Regional KMS keys
-
I think this answer is now wrong because of: https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/
An application hosted in an Amazon ECS Cluster is using an Amazon RDS database instance encrypted at rest with AWS Key Management Service (KMS). To improve data resiliency, the Security Administrator must create a cross-region read replica of the database instance in another AWS Region.
What should the Administrator do to complete this task?
Hence, the correct answer is: Set up a new CMK in the other region using AWS KMS. Create the encrypted read replica in another AWS Region by specifying the key identifier of the newly created CMK in the other Region.
The option that says: Create the encrypted read replica in another AWS Region by specifying the key identifier of the current CMK in the source Region is incorrect because the keys generated by AWS KMS are only stored and used in the region in which they were created. You can’t specify the key identifier of the current CMK in the source Region if you are creating a new read replica in another AWS Region.
-
Hello chris42356,
Thanks for your feedback.
Yes. With KMS’s new multi-region key support, this question is now obsolete.
We will be replacing this item with a new one.
Let me know if you have further questions.
Regards,
Carlo @ Tutorials Dojo
Log in to reply.