☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS KMS (Key Management Service)/
🟢
AWS KMS - Multi-Region Keys
🟢

AWS KMS - Multi-Region Keys

Overview

  • Multi-Region Keys (MRKs) let you replicate KMS keys across AWS regions while keeping the same key material and key ID.
  • Each copy is a separate KMS key in its own region but is cryptographically identical to the others.

Primary and Replica Model

  • Primary Key: Created in the first region; used to create replicas in other regions.
  • Replica Keys: Live in other regions, stay automatically synchronized with the primary, and share the same key ID.

Key Characteristics

  • Same key ID, material, and rotation settings across all regions.
  • Can encrypt in one region and decrypt in another without re-encryption or cross-region calls.
  • Each key is managed independently for access control and lifecycle, even though material is the same.
  • Keys are regional, not global — the “multi-region” aspect comes from synchronized replicas.

ARN Example

  • Primary in us-east-1:
    • Replica in us-west-2:

      Use Cases

      • Disaster recovery – keep encrypted data recoverable across regions.
      • Global applications – consistent encryption for workloads deployed worldwide.
      • Global DynamoDB tables and Global Aurora – same key material in each region to support encrypted replication.