The combination of changes that will meet the requirement with the least operational overhead are:
A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint.Implement a Route 53 multivalue answer routing policy.
B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.
C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region’s replicated secret, select the appropriate KMS key.
These changes will enable the company to have an active-active configuration for its API across multiple Regions, while minimizing the complexity and cost of managing the secrets and keys.
A. This change will allow the company to use Route 53 to distribute traffic across multiple Regional API endpoints, based on the availability and latency of each endpoint.This will improve the performance and availability of the API for global customers12
B. This change will allow the company to use KMS multi-Region keys, which are KMS keys in different Regions that can be used interchangeably.This will simplify the encryption and decryption of secrets across Regions, as the same key material and key ID can be used in any Region34
C. This change will allow the company to use Secrets Manager replication, which replicates the encrypted secret data and metadata across the specified Regions.This will ensure that the secrets are consistent and accessible in any Region, andthat any update made to the primary secret will be propagated to the replica secrets automatically56
[References:, 1:Creating a regional API endpoint - Amazon API Gateway2:Multivalue answer routing policy - Amazon Route 533:Multi-Region keys in AWS KMS - AWS Key Management Service4:Creating multi-Region keys - AWS Key Management Service5:Replicate an AWS Secrets Manager secret to other AWS Regions6:How to replicate secrets in AWS Secrets Manager to multiple Regions | AWS Security Blog, , , , , , ]
Submit