All Products
Search

This Product

    Key Management Service:Manage cross-region resource synchronization

    Document Center

    Key Management Service:Manage cross-region resource synchronization

    Last Updated:Mar 31, 2026

    After you configure cross-region synchronization for a KMS instance, use this page to view what is synchronized, expand the synchronization scope, add replica instances, or remove replica instances.

    Prerequisites

    Before you begin, ensure that you have:

    • A KMS primary instance with cross-region synchronization configured

    • Access to the KMS console

    View synchronized resources

    View the resources synchronized from a primary instance to each of its replica instances, including synchronization status and failure details.

    1. Log on to the KMS console. In the top navigation bar, select the region of the primary instance. In the left-side navigation pane, choose Security Operations > Disaster Recovery > Cross-region Synchronization.

    2. Find the primary instance and click Manage in the Actions column.

    3. On the details page, click the Replica Instance tab. Find the replica instance you want to inspect, then click View Synchronized Resources in the Actions column.

    4. To view all resources synchronized from the primary instance across all replica instances, click the Synchronized Resources tab. The tab shows Resource ID, Replica Instance ID, Synchronization Status, and Failure Cause for each synchronized resource.

    Update synchronization resources

    Add resources to an existing synchronization task.

    Note

    You can only add resources to synchronize. Removing previously selected resources is not supported.

    1. Log on to the KMS console. In the top navigation bar, select the region of the primary instance. In the left-side navigation pane, choose Security Operations > Disaster Recovery > Cross-region Synchronization.

    2. Find the primary instance and click Manage in the Actions column.

    3. On the details page, click the Replica Instance tab, then click Update Synchronization Resources.

    Associate a replica instance

    Add a replica instance to a primary instance's synchronization task.

    1. Log on to the KMS console. In the top navigation bar, select the region of the primary instance. In the left-side navigation pane, choose Security Operations > Disaster Recovery > Cross-region Synchronization.

    2. Find the primary instance and click Manage in the Actions column.

    3. On the details page, click the Replica Instance tab, then click Add Replica Instance. Select a replica instance and a synchronization type.

    Disassociate a replica instance

    Warning

    Disassociating a replica instance is irreversible. After disassociation:

    • The association between the primary instance and the replica instance cannot be re-established.

    • You cannot create keys and secrets in the replica instance.

    • The replica instance is removed from the synchronization task but is not released.

    • Synchronized resources in the replica instance are retained but cannot be modified.

    Proceed with caution.

    1. Log on to the KMS console. In the top navigation bar, select the region of the primary instance. In the left-side navigation pane, choose Security Operations > Disaster Recovery > Cross-region Synchronization.

    2. Find the primary instance and click Manage in the Actions column.

    3. On the details page, click the Replica Instance tab. Find the replica instance to disassociate, then click Remove Replica Instance in the Actions column. In the Remove Replica Instance dialog, click OK.