1
00:00:00,270 --> 00:00:01,320
So now let's talk about

2
00:00:01,320 --> 00:00:05,250
S3 replication and its relation to encrypted objects.

3
00:00:05,250 --> 00:00:09,420
So if you enable S3 replication from one bucket to another,

4
00:00:09,420 --> 00:00:12,600
then any unencrypted object and objects encrypted

5
00:00:12,600 --> 00:00:16,350
with SSE-S3 will be replicated by default.

6
00:00:16,350 --> 00:00:20,190
If you do happen to encrypt an object with SSE-C

7
00:00:20,190 --> 00:00:21,900
where it's a customer provided key,

8
00:00:21,900 --> 00:00:24,750
they will never be replicated because you would need to

9
00:00:24,750 --> 00:00:27,141
provide the key all the time and that doesn't work.

10
00:00:27,141 --> 00:00:31,080
And then we have objects encrypted with SSE-KMS.

11
00:00:31,080 --> 00:00:33,300
So by default, they're not replicated,

12
00:00:33,300 --> 00:00:35,820
but we need to enable the option to actually

13
00:00:35,820 --> 00:00:38,010
replicate these objects.

14
00:00:38,010 --> 00:00:41,610
And so we specify with which KMS key we want to

15
00:00:41,610 --> 00:00:44,790
encrypt the objects within the target bucket.

16
00:00:44,790 --> 00:00:48,450
And then we adapt this KMS key policy for the target key.

17
00:00:48,450 --> 00:00:50,855
And we create an IAM role that is allowing

18
00:00:50,855 --> 00:00:55,290
the S3 replication service to first decrypt the data

19
00:00:55,290 --> 00:00:57,150
in the source bucket.

20
00:00:57,150 --> 00:01:01,260
And then re-encrypt the data in the target bucket

21
00:01:01,260 --> 00:01:03,540
with the target KMS key.

22
00:01:03,540 --> 00:01:06,060
And so when you do so this enables replication because

23
00:01:06,060 --> 00:01:09,210
there is a lot of encryption and decryption happening.

24
00:01:09,210 --> 00:01:11,670
You may get KMS throttling errors in which case

25
00:01:11,670 --> 00:01:13,920
you need to ask for a service quotas.

26
00:01:13,920 --> 00:01:17,580
So a question you may have is, "Should I use multi-region

27
00:01:17,580 --> 00:01:19,680
key with S3 replication?"

28
00:01:19,680 --> 00:01:22,200
And the documentation says that you can use

29
00:01:22,200 --> 00:01:25,920
multi-region key for S3 replication,

30
00:01:25,920 --> 00:01:28,830
but currently they are treated as independent keys

31
00:01:28,830 --> 00:01:31,680
by the Amazon S3 service and therefore,

32
00:01:31,680 --> 00:01:35,370
the object is still going to be decrypted and then encrypted

33
00:01:35,370 --> 00:01:37,560
using the same key even though the key

34
00:01:37,560 --> 00:01:39,660
is a multi-region key, okay?

35
00:01:39,660 --> 00:01:41,580
So this is it for this lecture.

36
00:01:41,580 --> 00:01:42,780
I hope you liked it.

37
00:01:42,780 --> 00:01:44,730
And I will see you in the next lecture.