AWS recently introduced Amazon Cognito multi-region replication, which automatically replicates user identities and user pool configurations from a primary region to a secondary one. This enables applications to continue authenticating users from a replica region during outages, without requiring custom replication and failover mechanisms.
Replication is one-way from a primary to a secondary region, synchronizing user data, credentials, and configuration. The secondary region is read-only, but during failover users can continue signing in with their existing credentials. Active sessions remain valid because both regions recognize access tokens issued by either region. Sébastien Stormacq, principal developer advocate at AWS, writes:
Engineering teams spent significant time building and maintaining custom replication solutions to synchronize configurations across Regions. Manual export and import of user data between Regions created security risks from potential data exposure and introduced opportunities for data inconsistencies. During regional transitions, end users experienced disruptions like forced password resets and re-authentication.
Amazon Cognito is a managed identity service that helps developers authenticate users and manage access to applications. As part of the update, it now supports customer-managed keys, providing additional flexibility for organizations with strict security and compliance requirements. Multi-region replication requires a multi-region customer-managed AWS KMS key. Stormacq adds:
Multi-Region replication supports all authentication methods, including federated sign-in through social providers (Amazon, Google, Apple, Facebook), Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) integrations, and API authorization flows.
According to the documentation, multi-region replication is currently limited to user pools on Amazon Cognito's next-generation infrastructure which was recently announced in a separate article. Luc van Donkersgoed, principal engineer at PostNL and author of aws-news.com, comments:
This has been a major request for the longest time. Also glad to see continued investment in Cognito - it’s a pretty cool service.
While calling it the "pragmatic call" for most workloads, Daniele Frasca, architect at DanAds, summarizes some of the limitations, too:
Good step forward for auth resilience. For most teams, this removes a lot of complexity. But (...) it's active-passive, not active-active (...) No new sign-ups, no password resets, no profile updates unless you're in a failover state. TOTP MFA isn't supported on the secondary. If you need MFA everywhere, that's a hard stop, not a footnote. Failover is DNS-driven and needs a custom domain + health checks you own. Lockout counters aren't synced.
On Reddit, the reaction is largely positive, with developers welcoming the long-awaited feature despite some current limitations.Among competitors, Auth0 has long offered multi-region support.
Replication is available as an add-on for Amazon Cognito Essentials and Plus tier customers. The additional cost is $0.0045 per monthly active user (MAU) per replica region for Essentials and $0.006 per MAU per replica region for Plus. For machine-to-machine (M2M) authentication, the add-on incurs an additional 30% charge on top of standard token issuance pricing.
Multi-region replication is available across a subset of regions, including Northern Virginia, Singapore, Frankfurt, and Ireland, with any supported region serving as either the source or replica. Customer-managed key support is available for Essentials and Plus tiers across a broader set of AWS regions, including AWS GovCloud.