Your company requires that S3 objects should be replicated in different AWS regions. You have an S3 bucket in the ap-southeast-1 region, and its objects are encrypted with AWS Key Management Service (AWS KMS). How would you configure the Cross-Region Replication (CRR) for the encrypted objects in the S3 bucket?

Answer options:

A.Encrypted objects cannot be replicated with Cross-Region replication (CRR).
B.Modify the S3 property to encrypt the objects with AES-256 and then replicate them with a Cross-Region replication rule.
C.In the replication rule, provide the KMS key name for decrypting source objects.
D.Copy a KMS key from the target region to the source region. Re-encrypt the objects with the new KMS key in the source S3 bucket for the Cross-Region replication to work.

Correct Answer – C
Option A is incorrect because Cross-Region replication can copy encrypted objects across buckets in different AWS regions.
Option B is incorrect because this is not required as CRR supports AWS-KMS.
Option C is CORRECT because users can choose one or more KMS keys in the replication rule as follows.
Objects encrypted by AWS KMS CMKs that are not selected will not be replicated.
Option D is incorrect because the re-encryption is not required for the Cross-Region replication. For details, please check the following references.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-replication.html.
https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html#crr-scenario.