Question 12: You have a very sensitive as well as critical data which needs to be used across various applications which are hosted in different AWS regions. Data is sensitive so you want them to be always encrypted, and only application can decrypt the data. Which of the following can be possible in the given requirement?

1. You will be copying this data in one of S3 bucket and encrypt the entire S3 bucket.
2. You will be copying this data in all the regions where the application hosted and cache the data key as part of application to encrypt and decrypt the data.
3. You will have only one copy of the data in one region and application hosted in different region can access this data as well as KMS to decrypt the data.
4. You will create separate bucket in each region and copy data in this bucket and encrypt the entire bucket in each region. Application will cache the pain text data keys.

Correct Answer : B

Detailed Explanation: This question may not be looking for ideal solution, but what can be possible with the KMS and encrypted data. First note that you cannot encrypt entire S3 bucket rather only data in the bucket can be encrypted. So it is quite easy to discard both option 1 and 4. KMS keys are account and region specific, so that they cannot be accessed across the region. Only option remain in 2^nd one and this is correct as well. You can copy encrypted data across the region and cache the data keys in application so that they can be used to do cryptographic operations like encryption and decryption.

Read this: There is an alternate way as well rather than using KMS as a key storage, you can use S3 bucket for storing your keys.