Logo
AWS Certified Solutions Architect - Professional / Question #1024 of 529

Question #1024

A company uses AWS KMS to encrypt sensitive data stored in Amazon DynamoDB global tables. The application must encrypt data before writing to the tables and decrypt it when reading. Company policies mandate that the same encryption key must be used across all AWS Regions where the global tables are replicated. The solution must ensure that the application can encrypt and decrypt data in each Region without additional overhead.

Which solution meets these requirements?

A

Create a KMS multi-Region primary key and replica keys in each additional Region. Configure the application to use the replica key in each Region.
B

Create a separate customer-managed KMS key in each Region and update the application to use the local key.
C

Use AWS Secrets Manager to store the KMS key material and retrieve it in each Region.
D

Export the KMS key material from the primary Region and store it in AWS Systems Manager Parameter Store in each Region. Update the application to retrieve the key material.

Explanation

Answer A is correct because AWS KMS multi-Region keys are designed for scenarios requiring the same encryption key material across multiple Regions. A multi-Region primary key is created in one Region, and replica keys are created in other Regions. These replicas share the same key material and metadata as the primary key, allowing data encrypted in one Region to be decrypted in another. By configuring the application to use the local replica key in each Region, the solution ensures compliance with the policy (same key used globally) and avoids cross-Region API calls, reducing latency and complexity.

Other options are incorrect:
- B: Separate keys per Region violate the requirement to use the same key globally.
- C: Secrets Manager is not designed to store KMS key material, and retrieving keys dynamically adds overhead.
- D: Exporting KMS key material is only possible with custom keys (not standard KMS keys), and storing it in Parameter Store introduces security risks and manual management.

Key Points:
1. KMS multi-Region keys enable cross-Region encryption/decryption with replica keys.
2. Replica keys eliminate the need for cross-Region KMS calls.
3. Multi-Region keys maintain cryptographic linkage, ensuring data encrypted in one Region can be decrypted in another.

Answer

The correct answer is: A