AWS Adds Multi-Region Replication to Amazon Cognito Identity Service
Amazon Cognito now offers multi-region replication, allowing developers to automatically synchronize user identities and configurations from a primary AWS region to a secondary one. This managed feature, announced by AWS in June 2026, enables applications to maintain authentication services during regional outages without the need for custom, manual failover scripts. According to AWS, the service synchronizes credentials and user pool settings, though the secondary region remains read-only during normal operation.
Why does multi-region replication matter for identity management?
Engineering teams previously managed custom replication solutions to keep user data consistent across regions, a process often criticized for creating security vulnerabilities and data inconsistencies. Sébastien Stormacq, a principal developer advocate at AWS, notes that manual exports often led to user disruptions, such as forced password resets or re-authentication requirements during transitions. By automating this process, the new native replication ensures that active sessions remain valid across regions, as both the primary and secondary pools recognize access tokens issued by either location.
While this feature simplifies failover, it operates in an active-passive configuration. This means you cannot perform new sign-ups, password resets, or profile updates in the secondary region unless you are actively executing a failover procedure.
What are the current limitations of the service?
Although the update is a significant step for resilience, industry architects point to specific functional gaps. Daniele Frasca, an architect at DanAds, highlights that the current implementation does not support Time-based One-Time Password (TOTP) MFA in the secondary region. Furthermore, failover is not entirely automatic; it requires DNS-driven redirection and health checks managed by the customer. Because lockout counters are not synced between regions, security teams must account for these gaps when designing their disaster recovery strategy.
How does this compare to existing identity providers?
The introduction of multi-region support brings Amazon Cognito closer to the feature sets offered by competitors like Auth0, which has provided multi-region availability for years. The following table highlights the operational trade-offs for organizations evaluating this update:
| Feature | Amazon Cognito Status |
|---|---|
| Data Sync | Automated (Primary to Secondary) |
| Configuration Mode | Active-Passive |
| MFA Support | TOTP not supported on secondary |
What is the cost impact for developers?
Replication is available as a paid add-on for Amazon Cognito Essentials and Plus tier customers. According to AWS pricing documentation, the cost is $0.0045 per monthly active user (MAU) for Essentials and $0.006 per MAU for Plus. For machine-to-machine authentication, users will see a 30% surcharge on standard token issuance rates. Luc van Donkersgoed, a principal engineer at PostNL, describes the release as a long-awaited improvement, noting that the investment suggests a continued commitment to the service’s roadmap.
Frequently Asked Questions
- Is this an active-active setup? No, it is an active-passive configuration. The secondary region is read-only unless a failover is initiated.
- Does it support social identity providers? Yes, the service supports federated sign-in through providers like Google, Apple, and Facebook, as well as SAML and OIDC.
- Which regions are supported? The feature is available in a subset of regions, including Northern Virginia, Singapore, Frankfurt, and Ireland.
- Do I need a special key? Yes, you must use a multi-region customer-managed AWS KMS key to enable the replication.
Are you planning to migrate your authentication infrastructure to a multi-region setup? Share your experiences with failover automation in the comments below or subscribe to our newsletter for more cloud infrastructure updates.