Question 273:
An S3 bucket stores a large number of customer data, and all the files need to be replicated in another S3 bucket owned by a different AWS account. Objects in the source S3 bucket are encrypted by a customer-managed key in KMS and replicated objects in the backup bucket should be encrypted by another CMK. You plan to use an S3 Replication rule for this task. How would you configure the S3 Replication?
Answer options:
A.Create a new Replication rule and choose the customer-managed key ID used for the encryption in the destination S3 bucket. S3 Replication automatically handles the decryption in the source S3 bucket. B.Create a cross-account IAM role in the destination account that has permissions to decrypt/encrypt using the keys. Attach the IAM role in the Replication rule. C.In the Replication rule, select the KMS key to be allowed to decrypt objects and enter the CMK ARN for the encryption in the destination bucket. Modify the key policy of CMK in the destination account to grant the source bucket owner permissions. D.In the Replication rule, set the source to be the entire bucket to include all encrypted files. In the destination S3 bucket, enable the default encryption with AWS KMS.