AWS Cross Region replication and AWS KMS Customer Managed Keys

0
votes

Background - I am trying to set up Cross-Region Replication for one of our buckets. Our bucket is currently encrypted via a KMS CMK(customer-managed key). We know that AWS KMS is region-specific.

I have been able to replicate the unencrypted objects without any issues.

Question - Will the objects in the destination bucket will be de-encrypted when the objects(which are encrypted) are replicated across to the destination bucket which at the moment is not encrypted. Because we know the CMK key is not going to be available in the destination region?

1
amazon-web-servicesamazon-s3amazon-kms

1 Answers

1
votes

The S3 service where you are replicating from will need to decrypt the datakey using the CMK for that region and then construct a new envelope using the CMK of the destination region. There is no need to decrypt the actual data.

If you are replicating across accounts, then the source account needs access to encrypt using the destination account's CMK but the destination account doesn't require access to decrypt using the source account's CMK. This shows that the S3 service where the source bucket is located is the one constructing the new envelope prior to replication - which is both the logical and the secure way of doing it. (https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario)

So in transit, the replicated objects are encrypted using both TLS and KMS.

(Disclosure: I am employed by AWS)