DynamoDB: can we use encryption and cross-region replication together?
We are evaluating DynamoDB for our new application. Our requirements are:
- Data encryption at rest
- Cross-region replication for disaster recovery. Our app in a region must rely on services in that region only
Our requirements can be met separately with using Java libraries provided by AWS. The solutions are:
However, we are not certain if these solutions can work together. We are concern we won't be able to decrypt cross-region replicated records. The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. The encryption key is not accessible in another region.
The questions are:
- Is it true that the decryption or cross-region replicated records is impossible if the encryption key is in KMS?
- Is there a recommended approach to replicating encrypted DynamoDB records? Has anyone done this before?
- Are there any alternatives we should be looking at?