CASE 102 · LUSTRE · 2025
Encrypted replication that doesn’t need cross-region role gymnastics.
A digital health platform replicated PHI buckets across regions with a cross-region trust dance that nobody fully trusted. Auditors had questions. We rebuilt the encryption on KMS multi-region keys so the same key material exists in both regions, eliminating the trust path.
Digital health
SECURITY
2025
RESULTS
What changed, by the numbers.
CROSS-REGION TRUST PATHS
−100%
AUDIT QUESTIONS
CLEARED
REPLICATION LATENCY
< 15s
KEY MATERIAL EXPOSURE
NONE
HOW IT WENT
The legacy setup decrypted in the source region, sent the plaintext to the destination region, and re-encrypted there. Both regions held distinct keys; the trust path was a cross-account IAM role with `kms:Decrypt` on the source side. Auditors had asked, reasonably, how we knew that path was secure.
KMS Multi-Region Keys hold the same key material in multiple regions without exposing the material to the customer. S3 replication can use the destination-region replica directly, eliminating the decrypt-and-re-encrypt round trip. We migrated three buckets representing the highest-sensitivity workloads first.
Cross-region trust paths went to zero. Replication latency was unchanged. The auditor’s questions resolved on a single architectural diagram. The migration ran transparently — existing encrypted objects could still be decrypted because we kept the legacy keys live during the transition window.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.