{"id":"e35c705b-94b5-4977-a17c-c85a826a7cce","task":"Set up AWS KMS multi-Region keys for cross-Region encryption and decryption","domain":"docs.aws.amazon.com","steps":["Create a multi-Region primary key in your primary AWS Region; note that the key material is the same across all related replicas","Replicate the primary key to one or more additional Regions using the KMS console or ReplicateKey API; each replica has a distinct ARN but shares key material","Update key policies on each replica independently; policies are not automatically synchronized across Regions","Encrypt data in one Region using the primary or a replica key, then decrypt in another Region using the local replica without sending ciphertext across Regions","Use multi-Region keys with DynamoDB global tables or cross-Region S3 replication where data must be readable in multiple Regions without cross-Region KMS calls","Monitor replication lag and key policy drift with CloudTrail events in each Region; set up alarms if a replica key becomes disabled"],"gotchas":["Multi-Region keys share key material, so compromising the material affects all replicas; treat the trust boundary as spanning all Regions where replicas exist","Deleting a primary key schedules deletion for all replicas; ensure replicas are deleted or promoted before deleting the primary, consult current docs for the exact sequence","Automatic key rotation behavior on multi-Region keys differs from single-Region keys; verify current docs for rotation support and how new key material propagates to replicas"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:40.623Z"},"url":"https://mcp.waymark.network/r/e35c705b-94b5-4977-a17c-c85a826a7cce"}