Detailing what the aws doc means . It means that if in src bucket you specify a SSE-KMS ie you define the ARN of a key, than in the destination bucket you have to define a ARN of the key as well. Since Keys are regional and the S3 will not be able to make a DataKey API Call to that region if there is not key, hence it has to be defined. Hope it helps and you update the slide.
1 Answers
I haven’t tried this particular scenario myself, but I have used shared RDS snapshots using AWS KMS. In a nutshell, you can specify what KMS key you want to use (tip: you need to use one, other than the default), and once you have done that, you can share it with another account. Obviously, you will need to share that KMS key with the other account, and I would assume that works.
I will add that I asked an AWS engineer about this and was told that S3 decrypts the file in the source region and re-encrypts the file in the destination region using the key specified from the destination region.
if that’s true how will it know what key to use for encrypting the object at the destination? what if i’m using a CMK at src will it just use the default KMS then?
I have tried this and it seems to work as CJ described. Decrypting using the encryption key specified for the source region and re-encrypts using another key you specify at the destination region. The keys have to be in the regions that the buckets reside in. I created a key in the source region and used that key when specifying encryption on the source bucket. I created a second key in the destination bucket’s region and specified that key for the encryption on the replicated bucket.