🔥 3-day streak
AWS Certified Security - Specialty116 / 184
Question 116 of 184

A company runs an application in us-east-1 that encrypts customer records with an AWS KMS customer managed key. For disaster recovery, they replicate the encrypted data to an S3 bucket in eu-west-1 using S3 Cross-Region Replication. During a DR test, the application in eu-west-1 fails to decrypt the replicated objects. The security team confirms IAM permissions and the KMS key policy grant decrypt to the application role. What is the MOST appropriate solution to allow decryption in eu-west-1 while maintaining a single cryptographic key material?

Reviewed for accuracy · Report an issueNext question