DynamoDB: can we use encryption and cross-region replication together?
We are evaluating DynamoDB for our new application. Our requirements are:
Our requirements can be met separately with using Java libraries provided by AWS. The solutions are:
However, we are not certain if these solutions can work together. We are concern we won't be able to decrypt cross-region replicated records. The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. The encryption key is not accessible in another region.
The questions are:
You are right. As is, the setup won't work because KMS keys can't be shared across regions.
Let's say you are replicating data from region R1 to R2, which have KMS keys K1 and K2 respectively. I can suggest the following alternatives:
Update: Adding your thoughts too, so that it can help anyone stumbling onto this question in future:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With