Hello, One question in the Quiz for Infrastucture Security asks about cross region CMK access as below
You have created a customer managed CMK in us-east-1 region and would like to use it to encrypt data located in eu-west-1, how can you achieve this?
Answer for above states that "This is not possible, a CMK can only be used in the region in which it was created" but in the AWS KMS document from below link states that "KMS key are region specific, which means that the keys are tied to a region, which is very similar to S3. But it can be accessed for encrypt and decrypt function in any region".
https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
"Additionally, envelope encryption can help to design your application for disaster recovery. You can move your encrypted data as-is between Regions and only have to reencrypt the data keys with the Region-specific CMKs."
Please help me out, I understand that KMS keys are region specific but that doesn’t mean we can’t access them through other regions for encrypt and decrypt functions. Can someone give me brief understanding about the differences.
1 Answers
I’m going to test this in my own account and get back to you! Watch this space ;o)
Hi Faye, any update on this?
If data is already encrypted and moved to different region, you have your encrypted data key with it. How are you planning to unencrypt the data there w/o original CMK. Remember that you can’t export CMK from KMS.