Question #846
A company is deploying a new API on AWS using Amazon API Gateway with a Regional endpoint and AWS Lambda. The API interacts with an external service, stores data in an Amazon DynamoDB global table, and retrieves data from it. The external service's API key is stored in AWS Secrets Manager, encrypted with a customer-managed KMS key. The API is currently deployed in a single Region. A solutions architect needs to modify the API components to support an active-active configuration across multiple Regions with minimal operational effort. Which combination of steps should be taken? (Choose three.)
Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint. Implement a Route 53 weighted routing policy.
Create a new KMS multi-Region customer managed key. Generate replica keys in each target Region using the multi-Region key.
Replicate the Secrets Manager secret to all target Regions. For each replicated secret, associate the corresponding KMS multi-Region replica key for that Region.
Use AWS-managed KMS keys in each Region. Convert the existing customer-managed key to a multi-Region key and apply it globally.
Create new Secrets Manager secrets manually in each Region. Copy the secret value from the original Region to each new secret.
Modify the Lambda function to use a global deployment template. Enable API Gateway's built-in multi-Region synchronization feature.
Explanation
To achieve an active-active configuration across multiple Regions:
- A is correct because deploying the API Gateway in each Region and using Route 53 with weighted routing distributes traffic efficiently.
- B is correct because a KMS multi-Region key allows the same encryption key material to be used across Regions, ensuring Secrets Manager can decrypt secrets in each Region.
- C is correct because Secrets Manager's cross-Region replication automatically replicates secrets, and associating each replica with its Region's KMS key ensures seamless decryption.
Why others are incorrect:
- D: AWS-managed keys cannot replace customer-managed keys, and converting existing keys requires specific multi-Region setup steps not mentioned.
- E: Manual secret creation increases operational effort; Secrets Manager replication is automated.
- F: API Gateway lacks built-in multi-Region sync, and Lambda requires manual deployment in each Region.
Key Points:
1. Use Route 53 for cross-Region traffic routing.
2. Multi-Region KMS keys enable consistent encryption across Regions.
3. Secrets Manager automates secret replication with regional KMS keys.
Answer
The correct answer is: A, B, C