Ok, I'm attempting something relatively simple, so I thought.
My Goal: 1) Script an archive of backup files which uploads to S3 bucket using the aws CLI.
2) Encryption: Be able to have the backup file easily encrypted/decrypted server-side (preferable, as I'd rather not have to maintain keys and extra code).
3) Have the S3 bucket replicate to another region via Cross-Region Replication. A backup for my backup.
Additionally, this needs to remain simple as it will scale.
I've managed these things individually but not 2 & 3 together for encryption & replication.
For encryption, I've first attempted creating & using a kms key via AWS IAM>encryption-keys. This works great, and the backup file gets encrypted server-side just by adding the flag "--sse aws:kms --sse-kms-key-id my-encryption-key"
Only problem is the requirements for S3 Cross-Region-Replication state that client & server side encrypted content is ignored for cross-region-replication:
"Objects created with server-side encryption using either customer-provided (SSE-C) or AWS KMS–managed encryption (SSE-KMS) keys are not replicated. "
From here I'm not sure where to go, the S3 Replication docs seem to suggest if you encrypt using the S3 master key, that objects will be replicated OK.. However, I don't know exactly what that is or how to specify via the AWS CLI..
I've tried changing my aws s3 cp flag to "--sse aws:kms". It successfully updated the object details to "Server Side Encryption:Using AWS KMS master key: aws/s3 (default)", which would seem to be correct? But alas it was not replicated to my other region's bucket, nor can I figure out what exactly the "s3 master" key is and what control & security I need to have over it..
Seems silly to have limitations on Cross-Region-Replication like that. Any ideas on how to approach this? I just want a simple encrypted backup, and a backup for my backup with minimal effort..