Exam SCS-C03 Topic 1 Question 21 Discussion

Actual exam question for Amazon's SCS-C03 exam
Question #: 21
Topic #: 1
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.
What should the company do to properly encrypt the snapshot in us-west-1?

Suggested Answer: B Vote an answer

AWS KMS keys are strictly regional resources. According to AWS Certified Security - Specialty documentation, a KMS key created in one Region cannot be used to encrypt or decrypt data in another Region. This includes encrypted RDS and Aurora snapshots.
When copying an encrypted snapshot to a different Region, the destination Region must have its own KMS key. AWS automatically re-encrypts the snapshot using the specified KMS key in the destination Region during the copy operation.
Options C and D are invalid because IAM policies cannot extend a KMS key's scope across Regions. Option A is incorrect because Secrets Manager does not store or manage KMS keys themselves.
AWS best practices require creating a new customer managed key in the target Region and using it during the snapshot copy process.
Referenced AWS Specialty Documents:
AWS Certified Security - Specialty Official Study Guide
AWS KMS Regional Key Limitations
Amazon RDS Encrypted Snapshot Copy

by Lilith at Jan 17, 2026, 03:44 AM

Limited Time Offer

15%

Off

Get Premium SCS-C03 Questions as Interactive Self Test Engine or PDF

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
0
0
0
10