Amazon Web Services (AWS) has launched a new multi-region replication capability for Amazon Cognito, a move aimed at improving application resilience and reducing the complexity of managing user authentication across regions. The feature automatically replicates user identities and user pool configurations from a primary AWS region to a secondary region, allowing applications to continue authenticating users during regional service disruptions.
The update is expected to be particularly relevant for organizations operating critical digital services where uninterrupted access is essential, including sectors such as finance, e-commerce, public services and enterprise software.
Amazon Cognito Gains Built-In Multi-Region Support
Amazon Cognito is AWS’s managed identity platform that enables developers to authenticate users and control access to applications. With the new multi-region replication feature, user data, credentials and configuration settings are automatically synchronized from a primary region to a designated secondary region.
The replication process is one-way, meaning the secondary region acts as a read-only replica under normal operating conditions. During a failover event, however, users can continue signing in using their existing credentials without the need for custom replication tools or manual recovery procedures.
AWS says active user sessions remain valid because access tokens issued in either region are recognized by both regions, helping maintain continuity during service disruptions.
Reducing Operational Complexity
According to AWS Principal Developer Advocate Sébastien Stormacq, engineering teams have historically spent considerable effort creating and maintaining custom solutions to synchronize identity data across regions.
These manual processes often involved exporting and importing user data, creating potential security risks through data exposure and increasing the likelihood of inconsistencies between regions. Regional transitions could also result in user-facing issues such as forced password resets or repeated authentication requests.
By automating replication, AWS aims to simplify operations while improving reliability and user experience.
Support for Customer-Managed Encryption Keys
As part of the announcement, Amazon Cognito now also supports customer-managed encryption keys. The addition provides greater flexibility for organizations with strict security, governance and compliance requirements.
To use multi-region replication, customers must deploy a multi-region customer-managed AWS Key Management Service (KMS) key.
AWS noted that the replication feature supports all major authentication methods, including:
- Federated sign-in through social identity providers such as Amazon, Google, Apple and Facebook
- Security Assertion Markup Language (SAML) integrations
- OpenID Connect (OIDC) integrations
- API authorization workflows
Availability Limited to New Cognito Infrastructure
AWS documentation states that multi-region replication is currently available only for user pools running on Amazon Cognito’s next-generation infrastructure, which the company recently introduced.
The announcement has been well received by members of the cloud computing community.
Industry Reaction
Luc van Donkersgoed, principal engineer at PostNL and author of aws-news.com, described the release as a long-awaited enhancement.
“This has been a major request for the longest time. Also glad to see continued investment in Cognito – it’s a pretty cool service.”
Others welcomed the operational benefits while noting that some limitations remain.
Daniele Frasca, an architect at DanAds, characterized the feature as a practical solution for many organizations seeking stronger authentication resilience. However, he highlighted several restrictions that organizations should consider before deployment.
Current Limitations
The system currently operates in an active-passive model rather than an active-active architecture.
Among the limitations identified:
- New user registrations are not available in the secondary region under normal conditions
- Password resets and profile updates are restricted unless a failover occurs
- Time-based One-Time Password (TOTP) multi-factor authentication is not supported on the secondary region
- DNS-based failover requires customers to manage custom domains and health checks
- Account lockout counters are not synchronized between regions
For organizations that require fully active-active authentication environments or universal MFA functionality across regions, these constraints may influence deployment decisions.
Developer Community Responds Positively
Feedback from developers has generally been favourable, with many viewing the release as a significant improvement despite the current limitations.
The introduction of native multi-region support addresses a long-standing request from AWS customers seeking more resilient authentication infrastructure without the need for extensive custom engineering work.
The move also places Cognito in closer competition with identity providers such as Auth0, which has offered multi-region capabilities for several years.
Pricing and Regional Availability
AWS is offering multi-region replication as an add-on for Amazon Cognito Essentials and Plus tier customers.
Pricing is set at:
- $0.0045 per monthly active user (MAU) per replica region for Essentials customers
- $0.006 per MAU per replica region for Plus customers
For machine-to-machine (M2M) authentication workloads, customers will incur an additional 30 per cent charge on top of standard token issuance pricing.
The feature is available in a selection of AWS regions, including Northern Virginia, Singapore, Frankfurt and Ireland. Any supported region can function as either the source or replica region. Customer-managed key support is available across a wider range of AWS regions, including AWS GovCloud.
Conclusion
AWS’s introduction of multi-region replication for Amazon Cognito marks a significant enhancement for organizations seeking stronger authentication resilience and simplified disaster recovery planning. While the feature currently operates with several limitations, it reduces the need for custom-built replication systems and offers a more streamlined path to maintaining user access during regional outages. For many businesses relying on AWS infrastructure, the update represents a meaningful step toward more reliable identity management at scale.
American author Nolan Fraser crafts stories that balance entertainment with meaningful exploration of life’s challenges and opportunities. His work reflects a passion for storytelling and a commitment to creating memorable literary journeys.