Home › Forums › AWS › AWS Certified Security – Specialty › CMKs and Cross Region Access › Reply To: CMKs and Cross Region Access
-
Hello sadiya931,
Thanks for the feedback.
I’ve tried performing this experiment. Based on what I’ve encountered, the statement “The CMK that you choose must be created in the same AWS Region as the Amazon S3 bucket that receives your log files” this means that the created CMK (example: N.Virginia) in AWS KMS must be in the same region as the S3 bucket (N.Virginia) that will be used to store the logs. I’ve also tried creating a new S3 bucket (Region: Singapore) and the CMK that I created in AWS KMS (N.Virginia) can’t be used for the S3 bucket in Singapore.
For your question, “how you can use the CMK across regions but also need the CMK and bucket to be in the same region” I think AWS Encryption SDK can help you. Based on the AWS Documentation:
“For example, you can encrypt data under multiple AWS Key Management Service (AWS KMS) customer master keys (CMKs), each in a different AWS Region. Then you can copy the encrypted data to any of the regions and use the CMK in that region to decrypt it. You can also encrypt data under a CMK in AWS KMS and a master key in an on-premises HSM, enabling you to later decrypt the data even if one of the options is unavailable.”
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!
Regards,
Gerome @ Tutorials Dojo