Q46 — AWS SCS-C02 Ch.1
Question 46 of 100 | ← Chapter 1
A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources. The company needs to replicate its workloads and infrastructure to the us-west-1 Region. A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available. The security engineer uses Secrets Manager to create the secrets in us-east-1. What should the security engineer do next to meet the requirements?
- A. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1.  
- B. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.  
- C. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.  
- D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1. ✓
Correct Answer: D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managed KMS key from us-east-1.
Explanation
AWS Secrets Manager和KMS跨区域复制的场景中,使用客户管理密钥(CMK)并启用多区域密钥是关键。AWS文档指出,为支持跨区域访问且保证高可用性,需在多区域配置中使用同一CMK。选项D通过复制secrets至目标区域并使用源区域的CMK,确保了各区域独立访问加密数据的能力。选项B和C依赖跨区域调用,无法满足单区域可用性要求;选项A使用不同密钥导致解密失败。选项D符合多区域密钥和本地复制的需求,确保低延迟和容错。答案:D