You currently have a Redshift cluster which is using KMS key for encryption in a region.
You now need to ensure that the cluster can be moved to another region.
Which of the following steps would you put as part of the implementation.
Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and C.
The AWS Documentation mentions the following.
When you launch an Amazon Redshift cluster, you can choose to encrypt it with a master key from the AWS Key Management Service (AWS KMS)
AWS KMS keys are specific to a region.
If you want to enable cross-region snapshot copy for an AWS KMS-encrypted cluster, you must configure a snapshot copy grant for a master key in the destination region so that Amazon Redshift can perform encryption operations in the destination region.
The following procedure describes the process of enabling cross-region snapshot copy for an AWS KMS-encrypted cluster.
Since this is clearly mentioned in the AWS documentation , the other options are invalid.
For more information on using snapshots copy with KMS keys, please refer to the below URL.
https://docs.aws.amazon.com/redshift/latest/mgmt/managing-snapshots-console.html#xregioncopy-kms-encrypted-snapshotTo ensure that a Redshift cluster that uses KMS key for encryption can be moved to another region, you need to take the following steps:
Ensure that the KMS key is copied from the source region to the destination region: This is one of the steps that you need to take to ensure that the Redshift cluster can be moved to another region. When you copy a KMS key to another region, you can use the key to encrypt data in the new region. To do this, you need to create a copy of the KMS key in the destination region.
Configure a snapshot copy grant for a master key in the destination region: Another step that you need to take is to configure a snapshot copy grant for a master key in the destination region. This allows the Redshift cluster to access the KMS key that you created in the destination region.
Option A and C are the correct answers: A. Ensure that the KMS key is copied from the source region to the destination region C. Configure a snapshot copy grant for a master key in the destination region.
Option B is not required as you can copy the existing KMS key to the destination region. Option D is not required as it relates to configuring a snapshot copy grant for a master key in the source region, which is not necessary for moving the Redshift cluster to a new region.
Note: When copying a KMS key to another region, ensure that you create the key with the same alias as the original key so that the Redshift cluster can use the key seamlessly after it is moved to the new region.