This week, AWS announced two significant Amazon Cognito updates - native multi-Region replication and support for customer-managed keys (CMK). Previously, you were required to create custom workflows to synchronize user data across AWS Regions for data replication, password resets, app client management and JWKS management. Now, these new capabilities built into Cognito eliminate a lot of that work.
Teams now have less operational effort to maintain authentication between regions and more control of encryption and security. This can be a real-game changer for global teams.
What this new feature does?
With the new updates, Amazon Cognito can now automatically replicate user pool data and machine secrets to a second AWS Region. The data flows from a primary Region to a replica Region in the background. The replica contains user pool settings, app client configurations and machine-to-machine secrets - so if a failover occurs, users can continue signing in with their existing passwords. Migration or account changes are no longer required.
Additionally, AWS has also simplified token validation by using a shared JWKS endpoint across regions. This means it'll require less config to manage and a more straightforward setup for authentication across multiple Regions.
Before this release, the comparison looked like this:
One detail that definitely deserves attention is the Updated Issuer configuration. By default, Cognito generates tokens with a Region-specific issuer URL. If you want token validation to work the same way across both Regions, you must configure an Updated Issuer before turning on replication.
This only needs to be done once, but it changes how your application validates JWTs. And because of that, it should be included in your initial setup plan rather than handled later.
Customer managed keys and replication setup
Amazon Cognito replication requires a KMS multi-region key. AWS managed keys cannot be used for this feature. For teams operating under strict security or compliance requirements, this can be an advantage. The same setup that supports cross-region user data replication also gives you direct control over encryption keys and key management policies.
The key policy needs to allow two principals: cognito-idp.amazonaws.com for standard Cognito operations and identitystore.amazonaws.com, which handles internal replication traffic. You apply this policy to both the primary key and its replica before creating the user pool.
Setup sequence
The AWS CLI v2.34.58 or later is required. Earlier versions do not include the create-user-pool-replica API and will not recognize the commands.
The configuration follows this order:
- Create a KMS multi-region primary key in your primary Region
- Replicate the key to the secondary Region
- Apply the correct key policy in both Regions (including the identitystore.amazonaws.com principal)
- Create the user pool with the CMK specified at creation time
- Configure the Updated Issuer
- Create and activate the replica
One limitation to keep in mind is that a user pool must be created with a customer-managed key (CMK) from the beginning. You cannot add a CMK to an existing standard user pool and then turn on replication.
If you're planning to use this feature with an existing Cognito deployment, it's worth checking your current setup early so you can choose the right migration approach.
What the replica can and cannot do
The replica user pool is read-only, so account creation, user updates, password resets, and configuration changes must still be made in the primary Region. The replica handles authentication of traffic only, and applications need to redirect users to it if a regional outage occurs.
Cognito keeps user data, settings, and secrets synchronized across Regions, allowing authentication to continue without manual recovery steps. Many teams combine this with Route 53 health checks or existing failover routing to complete their disaster recovery strategy.
For organizations implementing multi-region AWS architectures, GoML, an AWS Generative AI Competency Partner, helps accelerate delivery through its AI Matic framework, which provides a structured path from planning to production.
.jpg)
