6.3.4. Multi-Region Key and Certificate Management
First Principle: Global applications require encryption keys and certificates that work across Regions. Without multi-Region key management, cross-Region data access requires complex key-sharing arrangements or data re-encryption at Region boundaries.
This is new content for the SCS-C03.
KMS Multi-Region Keys:
- Create a primary key in one Region and replica keys in other Regions
- Same key ID and key material across all Regions — data encrypted in one Region can be decrypted in another
- Use case: cross-Region disaster recovery, global database encryption, multi-Region application encryption
- Replica keys are independent — usable even if primary Region is unavailable
AWS Private Certificate Authority (Private CA):
- Issue private X.509 certificates for internal resources
- Certificates for mTLS, code signing, IoT device identity, VPN authentication
- Supports certificate hierarchies: root CA → subordinate CA → end-entity certificates
- Cross-Region: Share the CA across Regions using RAM (Resource Access Manager)
- Integrates with ACM for certificate deployment to ALB, CloudFront, API Gateway
AWS Certificate Manager (ACM):
- Free public certificates (auto-renewed) for ALB, CloudFront, API Gateway
- Cannot export public certificates — only usable with integrated AWS services
- Private certificates (via Private CA integration) can be exported and used on EC2
| Need | Solution |
|---|---|
| Public HTTPS for ALB/CloudFront | ACM public certificates (free, auto-renew) |
| Private mTLS between services | Private CA + ACM private certificates |
| Cross-Region encryption with same key | KMS multi-Region keys |
| IoT device authentication | Private CA certificates |
| On-premises workload certificates | Private CA + export via ACM |
⚠️ Exam Trap: ACM public certificates cannot be exported. If a question requires installing a certificate on an EC2 instance, you need either a Private CA certificate or an imported certificate — not ACM public.
Scenario: A company runs a global application with databases in us-east-1 and eu-west-1. Cross-Region replication requires data encrypted in one Region to be readable in the other. You create a KMS multi-Region key with primary in us-east-1 and replica in eu-west-1. Data encrypted with either key is decryptable by both.
Reflection Question: How do multi-Region KMS keys simplify cross-Region disaster recovery compared to traditional approaches of re-encrypting data at Region boundaries?
