AWS Secrets Manager supports multi-Region secret replication, which is designed specifically for redundancy, disaster recovery, and multi-Region applications. With this feature, the primary secret resides in one Region (here, us-west-1) and Secrets Manager automatically maintains a replica in another Region (us-east-1). This provides local read access and resilience if one Region is impaired.

Option A accurately describes the standard configuration: enable secret replication and add us-east-1 as the replica Region. Because encryption keys are Region-scoped, the replica secret in us-east-1 should be encrypted with a KMS key in us-east-1 (either the default Secrets Manager key for that Region or a customer managed key), satisfying encryption requirements and proper key locality.

Option B is incorrect because you don’t configure replication “from the destination.” Replication is configured on the primary secret, and the replica uses a KMS key in the replica Region, not in the source Region.

Option C is not how Secrets Manager replication works. Replication is not only during rotation; it maintains replicas continuously. The “replication rule during rotation” framing is not the standard mechanism.

Option D is inappropriate and insecure/operationally complex: exporting secrets to S3 for replication is not the recommended pattern and introduces unnecessary exposure.

Therefore, enable Secrets Manager multi-Region replication and encrypt replicas with a KMS key in the destination Region.