Create a multi-Region primary key in your primary AWS Region; note that the key material is the same across all related replicas
Replicate the primary key to one or more additional Regions using the KMS console or ReplicateKey API; each replica has a distinct ARN but shares key material
Update key policies on each replica independently; policies are not automatically synchronized across Regions
Encrypt data in one Region using the primary or a replica key, then decrypt in another Region using the local replica without sending ciphertext across Regions
Use multi-Region keys with DynamoDB global tables or cross-Region S3 replication where data must be readable in multiple Regions without cross-Region KMS calls
Monitor replication lag and key policy drift with CloudTrail events in each Region; set up alarms if a replica key becomes disabled
Known gotchas
Multi-Region keys share key material, so compromising the material affects all replicas; treat the trust boundary as spanning all Regions where replicas exist
Deleting a primary key schedules deletion for all replicas; ensure replicas are deleted or promoted before deleting the primary, consult current docs for the exact sequence
Automatic key rotation behavior on multi-Region keys differs from single-Region keys; verify current docs for rotation support and how new key material propagates to replicas
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp