Cross-region resource synchronization in Key Management Service (KMS) enables resource synchronization from a primary KMS instance to replica instances in other regions. If your applications use a primary/secondary deployment or active geo-redundancy architecture, this feature maintains business continuity by keeping key resources available across multiple regions.
If the If you want to use advanced features such as bring your own key (BYOK), cross-region synchronization, and monitoring, submit a ticket to confirm the time when your instance image is upgraded to the latest version. message is displayed in the KMS console, contact us. For more information, see Contact us.
How it works
KMS instances support cross-region resource synchronization, which completes resource synchronization within minutes. After you enable this feature, applications in the primary region access the primary KMS instance for cryptographic operations. In disaster recovery scenarios, applications in secondary regions access replica KMS instances instead.
KMS synchronizes keys between the primary instance and replica instances. KMS does not synchronize business data. Plan and handle business data synchronization separately.
Limitations
Supported instance types: Only software key management type instances that use the subscription billing method support cross-region resource synchronization.
Replica instance limits:
Quantity: A primary instance supports up to three replica instances.
Region: The primary instance and all replica instances cannot reside in the same region.
Resources: No key or secret can exist in a replica instance before association. If a key or a secret exists in a replica instance, you cannot associate the replica instance with a primary instance.
Quota: The key quota and secret quota of a replica instance must be greater than or equal to those of the primary instance.
Cross-border limits: Cross-border synchronization is not supported. If the primary instance resides in a region in the Chinese mainland, the replica instance must also reside in a region in the Chinese mainland.
What is synchronized
Only keys are synchronized. Secrets are not synchronized.
The following table shows which key properties are synchronized and which are managed independently per instance.
| Synchronized | Not synchronized |
|---|---|
| Key ID | Key policy |
| Key version | Key alias |
| Key material | Key tags |
| Key status | |
| Deletion protection status |
When you rotate keys on the primary instance, KMS synchronizes the new key versions to all associated replica instances and configures them as the primary key versions. This ensures that all encrypted data can be decrypted during automatic key rotation.
Key policies are not synchronized. When you use Alibaba Cloud SDK to perform cryptographic operations, you must view the key policies in the primary instance. If a custom policy is configured, you must configure the same custom policy on each associated replica instance. Otherwise, applications may not have permissions to access keys in the replica instances. For more information, see View a key policy and Configure a key policy.
Synchronization timing
| Phase | Duration |
|---|---|
| Initial synchronization (after association) | 3 to 5 minutes |
| Subsequent synchronization | Every minute |
Conflict handling
During synchronization, if a replica instance contains keys with the same IDs as keys in the primary instance, KMS skips those keys and synchronizes the remaining keys. Check the synchronization results to verify whether the synchronization is successful.
Associate a replica instance with the primary instance
Prerequisites
Before you begin, make sure that you have:
A replica KMS instance. For more information, see Purchase a KMS instance
Both the primary instance and the replica instance enabled. For more information, see Enable a KMS instance
Procedure
On the Cross-region Synchronization page, click Add Replica Instance.
Select the primary instance and the replica instance and click Next.
Select a resource synchronization type and click Next. You can select 1 and 2 or 2 and 3 at the same time, but you cannot select 1 and 3 at the same time.
Synchronization type Description 1. Full Synchronization Only existing keys in the primary instance are synchronized. Keys that are created after the synchronization are not synchronized. For example, if the primary instance has 10 keys, only the 10 keys are synchronized. Subsequent changes to the keys are also synchronized. 2. Incremental Key Synchronization Existing keys in the primary instance are not synchronized. Keys that are created after the synchronization are synchronized. 3. Synchronization of Selected Resources Only the keys that you select are synchronized. Subsequent changes to the keys are also synchronized. Confirm the configurations and click OK.
Verify synchronization
Wait for approximately 3 to 5 minutes. After the synchronization is complete, the status of the primary instance is Synchronized 100%. Subsequent synchronization is performed every minute.
Next steps
Create access credentials so that applications in both the primary and secondary regions can use keys in the primary and replica instances for cryptographic operations. For more information, see SDK references.
| SDK | Access credential | Notes |
|---|---|---|
| Alibaba Cloud SDK | One credential for all instances | Supports only Resource Access Management (RAM) roles whose trusted entities are Alibaba Cloud services. |
| KMS Instance SDK | One credential per instance (primary and each replica) | Supports only client keys of application access points (AAPs). For more information, see Create an AAP. |