I have a Lambda@Edge and a centralized S3 logging bucket deployed in us-east-1 region. By AWS design, Lambda@Edge writes logs to the region where its replica is invoked, it's about 13 AWS Regions where CloudFront Edge Caches are located.
I need to have each of the CloudWatch log groups encrypted with the KMS key and forward logs via Kinesis Firehose to a centralized S3 bucket. The question is:
Since AWS KMS is a regional service, if I create ~13 KMS keys in each of the regions where the log groups will be located, will I have any issues with reading them from the S3 bucket located in us-east-1 (S3 is global, but it's still bounded to the region)?
Does it make sense to use a new Multi-Regional KMS feature?
