Certified Security - Specialty

Sign Up Free or Log In to participate!

How is CRR enabled for SSE-KMS encrypted objects?

The lecture does not provide the details on how to enable replication of SSE-KMS encrypted objects… how is this done, and can it be done across accounts as well?


It’s a checkbox in the management console, part of the JSON in a CLI command (https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-replication.html) and part of whatever SDK you are using


I imagine it could be done cross account as long as you give them access to use the key


You need to create/use a kms key in the bucket origin region, select the key in the option "Replicate objects encrypted with AWS KMS " and finally allow the replication role to use that key for the replication process.


For cross account replication you will need to select the account and bucket in the "Destination bucket" fields, and assure your replication role can write in the destination bucket, with a s3 bucket policy if it is not already been created by aws.

1 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?