The aws:ssmincidents/replicationSet:ReplicationSet resource, part of the Pulumi AWS provider, establishes the foundational replication set for AWS Systems Manager Incident Manager, defining which regions store incident data and how that data is encrypted. This guide focuses on three capabilities: single-region replication set creation, customer managed key encryption, and multi-region expansion.
A replication set is the prerequisite for all Incident Manager functionality. The AWS provider region must always be one of the regions in the replication set. Deleting a replication set removes all Incident Manager data including response plans, incident records, contacts, and escalation plans. The examples are intentionally small. Combine them with your own response plans and incident workflows.
Create a single-region replication set
Before creating response plans or tracking incidents, you need a replication set to establish where Incident Manager stores data.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const replicationSetName = new aws.ssmincidents.ReplicationSet("replicationSetName", {
regions: [{
name: "us-west-2",
}],
tags: {
exampleTag: "exampleValue",
},
});
import pulumi
import pulumi_aws as aws
replication_set_name = aws.ssmincidents.ReplicationSet("replicationSetName",
regions=[{
"name": "us-west-2",
}],
tags={
"exampleTag": "exampleValue",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssmincidents"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssmincidents.NewReplicationSet(ctx, "replicationSetName", &ssmincidents.ReplicationSetArgs{
Regions: ssmincidents.ReplicationSetRegionArray{
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("us-west-2"),
},
},
Tags: pulumi.StringMap{
"exampleTag": pulumi.String("exampleValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var replicationSetName = new Aws.SsmIncidents.ReplicationSet("replicationSetName", new()
{
Regions = new[]
{
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "us-west-2",
},
},
Tags =
{
{ "exampleTag", "exampleValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssmincidents.ReplicationSet;
import com.pulumi.aws.ssmincidents.ReplicationSetArgs;
import com.pulumi.aws.ssmincidents.inputs.ReplicationSetRegionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var replicationSetName = new ReplicationSet("replicationSetName", ReplicationSetArgs.builder()
.regions(ReplicationSetRegionArgs.builder()
.name("us-west-2")
.build())
.tags(Map.of("exampleTag", "exampleValue"))
.build());
}
}
resources:
replicationSetName:
type: aws:ssmincidents:ReplicationSet
properties:
regions:
- name: us-west-2
tags:
exampleTag: exampleValue
The regions array defines where Incident Manager replicates incident data. Each region entry requires a name property. Starting with one region establishes the foundation; you can add more regions later. The provider region must match one of the regions in the replication set.
Encrypt incident data with a customer managed key
Organizations with compliance requirements often control encryption keys for incident data to maintain audit trails and key rotation policies.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleKey = new aws.kms.Key("example_key", {});
const replicationSetName = new aws.ssmincidents.ReplicationSet("replicationSetName", {
regions: [{
name: "us-west-2",
kmsKeyArn: exampleKey.arn,
}],
tags: {
exampleTag: "exampleValue",
},
});
import pulumi
import pulumi_aws as aws
example_key = aws.kms.Key("example_key")
replication_set_name = aws.ssmincidents.ReplicationSet("replicationSetName",
regions=[{
"name": "us-west-2",
"kms_key_arn": example_key.arn,
}],
tags={
"exampleTag": "exampleValue",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssmincidents"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleKey, err := kms.NewKey(ctx, "example_key", nil)
if err != nil {
return err
}
_, err = ssmincidents.NewReplicationSet(ctx, "replicationSetName", &ssmincidents.ReplicationSetArgs{
Regions: ssmincidents.ReplicationSetRegionArray{
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("us-west-2"),
KmsKeyArn: exampleKey.Arn,
},
},
Tags: pulumi.StringMap{
"exampleTag": pulumi.String("exampleValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleKey = new Aws.Kms.Key("example_key");
var replicationSetName = new Aws.SsmIncidents.ReplicationSet("replicationSetName", new()
{
Regions = new[]
{
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "us-west-2",
KmsKeyArn = exampleKey.Arn,
},
},
Tags =
{
{ "exampleTag", "exampleValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.ssmincidents.ReplicationSet;
import com.pulumi.aws.ssmincidents.ReplicationSetArgs;
import com.pulumi.aws.ssmincidents.inputs.ReplicationSetRegionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleKey = new Key("exampleKey");
var replicationSetName = new ReplicationSet("replicationSetName", ReplicationSetArgs.builder()
.regions(ReplicationSetRegionArgs.builder()
.name("us-west-2")
.kmsKeyArn(exampleKey.arn())
.build())
.tags(Map.of("exampleTag", "exampleValue"))
.build());
}
}
resources:
exampleKey:
type: aws:kms:Key
name: example_key
replicationSetName:
type: aws:ssmincidents:ReplicationSet
properties:
regions:
- name: us-west-2
kmsKeyArn: ${exampleKey.arn}
tags:
exampleTag: exampleValue
The kmsKeyArn property specifies a customer managed KMS key for encrypting incident data in that region. The key must exist before creating the replication set. All regions in a replication set must use either AWS-owned keys or customer managed keys; you cannot mix encryption types. Changing encryption keys requires deleting and recreating the replication set.
Add a region to an existing replication set
As incident management expands across regions, you add regions one at a time to enable cross-region tracking and response coordination.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const replicationSetName = new aws.ssmincidents.ReplicationSet("replicationSetName", {regions: [
{
name: "us-west-2",
},
{
name: "ap-southeast-2",
},
]});
import pulumi
import pulumi_aws as aws
replication_set_name = aws.ssmincidents.ReplicationSet("replicationSetName", regions=[
{
"name": "us-west-2",
},
{
"name": "ap-southeast-2",
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssmincidents"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssmincidents.NewReplicationSet(ctx, "replicationSetName", &ssmincidents.ReplicationSetArgs{
Regions: ssmincidents.ReplicationSetRegionArray{
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("us-west-2"),
},
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("ap-southeast-2"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var replicationSetName = new Aws.SsmIncidents.ReplicationSet("replicationSetName", new()
{
Regions = new[]
{
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "us-west-2",
},
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "ap-southeast-2",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssmincidents.ReplicationSet;
import com.pulumi.aws.ssmincidents.ReplicationSetArgs;
import com.pulumi.aws.ssmincidents.inputs.ReplicationSetRegionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var replicationSetName = new ReplicationSet("replicationSetName", ReplicationSetArgs.builder()
.regions(
ReplicationSetRegionArgs.builder()
.name("us-west-2")
.build(),
ReplicationSetRegionArgs.builder()
.name("ap-southeast-2")
.build())
.build());
}
}
resources:
replicationSetName:
type: aws:ssmincidents:ReplicationSet
properties:
regions:
- name: us-west-2
- name: ap-southeast-2
Adding a second region to the regions array expands the replication set. AWS allows adding only one region per deployment operation. Each new region replicates incident data, enabling teams in different regions to coordinate responses. The provider region must remain one of the configured regions throughout updates.
Beyond these examples
These snippets focus on specific replication set features: single and multi-region replication, and customer managed key encryption. They’re intentionally minimal rather than complete incident management systems.
The examples may reference pre-existing infrastructure such as KMS keys for encrypted replication sets, and an AWS provider configured for a region included in the replication set. They focus on establishing the replication set rather than the incident management workflows built on top of it.
To keep things focused, replication set patterns are omitted, including:
- Region removal operations (Example 3 shows deletion but is inverse of addition)
- Deletion protection configuration (deletionProtected output property)
- Response plans and incident records (created after replication set exists)
- Key rotation and re-encryption workflows
These omissions are intentional: the goal is to illustrate how replication set configuration is wired, not provide drop-in incident management modules. See the SSM Incidents ReplicationSet resource reference for all available configuration options.
Let's configure AWS Systems Manager Incident Manager Replication Sets
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Deletion & Data Loss
Region Management
regions array and deploy. Remember you can only add one region per deployment.regions array and deploy. You can only delete one region per deployment.deletionProtected is true, the last region in a replication set cannot be deleted, protecting against accidental data loss.KMS Key Management
kmsKeyArn in the region configuration with your KMS key ARN. Create the KMS keys before or alongside the replication set to avoid deletion issues.Configuration Requirements
regions list. This is critical for complex update operations.ACTIVE, CREATING, UPDATING, DELETING, and FAILED.Using a different cloud?
Explore integration guides for other cloud providers: