KMS Multi-region keys are required https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

Cannot be A - question says customer managed key Cannot B - client side encryption is operational overhead Cannot C -as it says SSE-S3 instead of customer managed so the answer is D though it required one time setup of keys

B is correct

Its likely to be option B as it is the only option that mentions KMS multi region Keys. Multi region keys can also be used for client side encryption. Also CSE means the object will be encrypted before it reaches S3 bucket and will be decrypted after the object is fetched from S3 bucket, so while in S3 bucket it stays in encrypted status.

The question specifically says to use client managed keys and not client side encryption.

Can't be B as the question requires SSE and not CSE

Both B & D have their own problems , C, it was ok with multi region KMS key since we need the same key for both regions , but the problem is it says client side encryption , Using KMS is server side encryption from the beginning. D, it says to create S3 bucket and KMS key in each region, that means the two key for the two region are not the same cause we create for each region. but the question asked to use the same key.

It has to be D, Client-side encryption requires additional handling within the application code, increasing operational overhead if we go with option B. So with option of elimination, next best option is D.

SSE encryption is not required and multi-region keys support client side encryption, so the correct answer is B

C - The question implies that the Data AND Key must be in EACH of the two Regions

he sayed "The company must use an Key Management Service (AWS KMS) customer managed key" B. is using client side encryption not even aws key Right... ??

It is mentioning server side encryption using KMS.

this is clear case of multi region key

"A single-Region KMS key generated by AWS KMS is stored and used only in the Region in which it was created. With AWS KMS multi-Region keys you can choose to replicate a multi-Region primary key into multiple Regions within the same AWS partition." https://aws.amazon.com/kms/faqs/

i found the answer guys. acually i never found resource state that normal keys (not multi regions key) can be replicated across region. also i found this "A single-Region KMS key generated by AWS KMS is stored and used only in the Region in which it was created. With AWS KMS multi-Region keys you can choose to replicate a multi-Region primary key into multiple Regions within the same AWS partition." which mean option D can't never be correct since key can't be used in another region which seem logically otherwise they wouldn't make multi region keys if we can simply copy keys

The data in both S3 buckets must be encrypted and decrypted with the same KMS key.

By creating a customer managed multi-Region KMS key, you can have a single key that works across both AWS Regions. Creating an S3 bucket in each Region allows you to store data in both Regions. Configuring replication between the S3 buckets ensures that the data is replicated between the Regions. Using client-side encryption with the KMS key ensures that the data is encrypted and decrypted with the same KMS key