Q49 — AWS DVA-C02 Ch.3
Question 49 of 100 | ← Chapter 3
A company hosts its application in the us-west-1 Region. The company wants to add redundancy in the us-east-1 Region. Application secrets are stored in AWS Secrets Manager in us-west-1. Developers need to replicate these secrets to us-east-1. Which solution satisfies this requirement?
- A. Configure replication for each secret. Add us-east-1 as a replica region. Select an AWS Key Management Service (AWS KMS) key located in us-east-1 to encrypt the replicated secret. ✓
- B. Create a new secret in us-east-1 for each secret. Configure replication in us-east-1. Set the source to the corresponding secret in us-west-1. Select an AWS KMS key located in us-west-1 to encrypt the replicated secret.
- C. Create a replication rule for each secret. Set us-east-1 as the target region. Configure the rule to run during secret rotation. Select an AWS KMS key located in us-east-1 to encrypt the replicated secret.
- D. Create a Secrets Manager lifecycle rule to copy each secret to a new Amazon S3 bucket in us-west-1. Configure an S3 replication rule to copy the secrets to us-east-1.
Correct Answer: A. Configure replication for each secret. Add us-east-1 as a replica region. Select an AWS Key Management Service (AWS KMS) key located in us-east-1 to encrypt the replicated secret.
Explanation
AWS Secrets Manager supports native cross-region secret replication. Option A correctly describes this: enabling replication per secret, specifying us-east-1 as the replica region, and selecting a KMS key in us-east-1 to encrypt the replica — ensuring encryption compliance and automatic synchronization. Option B incorrectly specifies using a us-west-1 KMS key for encryption in us-east-1, which is invalid (KMS keys are region-specific). Option C misrepresents replication as rule-based (no such native feature); replication is configured directly on the secret. Option D misuses S3 and lifecycle rules — Secrets Manager secrets are not stored in S3 and cannot be replicated via S3 mechanisms.