AWS Certified Security - Specialty (#16)

An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether. Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

Copy the application’s AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.
Configure the target region’s AWS service to communicate with the source region’s AWS KMS so that it can decrypt the resource in the target region.