The aws:ssmincidents/replicationSet:ReplicationSet resource, part of the Pulumi AWS provider, establishes the foundational replication set for AWS Systems Manager Incident Manager, defining which regions store incident data and how that data is encrypted. This guide focuses on three capabilities: single-region setup, customer managed key encryption, and multi-region expansion.
Replication sets are the prerequisite for all Incident Manager resources. You cannot create response plans, contacts, or escalation plans until a replication set exists. Deleting a replication set removes all associated incident data. The examples are intentionally small. Combine them with response plans and contact resources to build a complete incident management system.
Create a single-region replication set
Before you can track incidents or create response plans, you need a replication set to establish where Incident Manager stores data.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const replicationSetName = new aws.ssmincidents.ReplicationSet("replicationSetName", {
regions: [{
name: "us-west-2",
}],
tags: {
exampleTag: "exampleValue",
},
});
import pulumi
import pulumi_aws as aws
replication_set_name = aws.ssmincidents.ReplicationSet("replicationSetName",
regions=[{
"name": "us-west-2",
}],
tags={
"exampleTag": "exampleValue",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssmincidents"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssmincidents.NewReplicationSet(ctx, "replicationSetName", &ssmincidents.ReplicationSetArgs{
Regions: ssmincidents.ReplicationSetRegionArray{
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("us-west-2"),
},
},
Tags: pulumi.StringMap{
"exampleTag": pulumi.String("exampleValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var replicationSetName = new Aws.SsmIncidents.ReplicationSet("replicationSetName", new()
{
Regions = new[]
{
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "us-west-2",
},
},
Tags =
{
{ "exampleTag", "exampleValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssmincidents.ReplicationSet;
import com.pulumi.aws.ssmincidents.ReplicationSetArgs;
import com.pulumi.aws.ssmincidents.inputs.ReplicationSetRegionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var replicationSetName = new ReplicationSet("replicationSetName", ReplicationSetArgs.builder()
.regions(ReplicationSetRegionArgs.builder()
.name("us-west-2")
.build())
.tags(Map.of("exampleTag", "exampleValue"))
.build());
}
}
resources:
replicationSetName:
type: aws:ssmincidents:ReplicationSet
properties:
regions:
- name: us-west-2
tags:
exampleTag: exampleValue
The regions array defines where Incident Manager replicates incident data. Each region entry requires a name property. The replication set uses AWS-owned encryption keys by default. The provider region must match one of the regions in the replication set.
Encrypt incident data with a customer managed key
Organizations with compliance requirements often control encryption keys to maintain audit trails and rotation policies.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleKey = new aws.kms.Key("example_key", {});
const replicationSetName = new aws.ssmincidents.ReplicationSet("replicationSetName", {
regions: [{
name: "us-west-2",
kmsKeyArn: exampleKey.arn,
}],
tags: {
exampleTag: "exampleValue",
},
});
import pulumi
import pulumi_aws as aws
example_key = aws.kms.Key("example_key")
replication_set_name = aws.ssmincidents.ReplicationSet("replicationSetName",
regions=[{
"name": "us-west-2",
"kms_key_arn": example_key.arn,
}],
tags={
"exampleTag": "exampleValue",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssmincidents"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleKey, err := kms.NewKey(ctx, "example_key", nil)
if err != nil {
return err
}
_, err = ssmincidents.NewReplicationSet(ctx, "replicationSetName", &ssmincidents.ReplicationSetArgs{
Regions: ssmincidents.ReplicationSetRegionArray{
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("us-west-2"),
KmsKeyArn: exampleKey.Arn,
},
},
Tags: pulumi.StringMap{
"exampleTag": pulumi.String("exampleValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleKey = new Aws.Kms.Key("example_key");
var replicationSetName = new Aws.SsmIncidents.ReplicationSet("replicationSetName", new()
{
Regions = new[]
{
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "us-west-2",
KmsKeyArn = exampleKey.Arn,
},
},
Tags =
{
{ "exampleTag", "exampleValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.ssmincidents.ReplicationSet;
import com.pulumi.aws.ssmincidents.ReplicationSetArgs;
import com.pulumi.aws.ssmincidents.inputs.ReplicationSetRegionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleKey = new Key("exampleKey");
var replicationSetName = new ReplicationSet("replicationSetName", ReplicationSetArgs.builder()
.regions(ReplicationSetRegionArgs.builder()
.name("us-west-2")
.kmsKeyArn(exampleKey.arn())
.build())
.tags(Map.of("exampleTag", "exampleValue"))
.build());
}
}
resources:
exampleKey:
type: aws:kms:Key
name: example_key
replicationSetName:
type: aws:ssmincidents:ReplicationSet
properties:
regions:
- name: us-west-2
kmsKeyArn: ${exampleKey.arn}
tags:
exampleTag: exampleValue
The kmsKeyArn property specifies a customer managed KMS key for encrypting incident data in that region. You must use either AWS-owned keys or customer managed keys across all regions; you cannot mix key types. Changing key types requires deleting and recreating the replication set and all associated data.
Add a second region for redundancy
After establishing Incident Manager in one region, teams add a second region for cross-region incident response.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const replicationSetName = new aws.ssmincidents.ReplicationSet("replicationSetName", {regions: [
{
name: "us-west-2",
},
{
name: "ap-southeast-2",
},
]});
import pulumi
import pulumi_aws as aws
replication_set_name = aws.ssmincidents.ReplicationSet("replicationSetName", regions=[
{
"name": "us-west-2",
},
{
"name": "ap-southeast-2",
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ssmincidents"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssmincidents.NewReplicationSet(ctx, "replicationSetName", &ssmincidents.ReplicationSetArgs{
Regions: ssmincidents.ReplicationSetRegionArray{
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("us-west-2"),
},
&ssmincidents.ReplicationSetRegionArgs{
Name: pulumi.String("ap-southeast-2"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var replicationSetName = new Aws.SsmIncidents.ReplicationSet("replicationSetName", new()
{
Regions = new[]
{
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "us-west-2",
},
new Aws.SsmIncidents.Inputs.ReplicationSetRegionArgs
{
Name = "ap-southeast-2",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssmincidents.ReplicationSet;
import com.pulumi.aws.ssmincidents.ReplicationSetArgs;
import com.pulumi.aws.ssmincidents.inputs.ReplicationSetRegionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var replicationSetName = new ReplicationSet("replicationSetName", ReplicationSetArgs.builder()
.regions(
ReplicationSetRegionArgs.builder()
.name("us-west-2")
.build(),
ReplicationSetRegionArgs.builder()
.name("ap-southeast-2")
.build())
.build());
}
}
resources:
replicationSetName:
type: aws:ssmincidents:ReplicationSet
properties:
regions:
- name: us-west-2
- name: ap-southeast-2
Adding a region extends the replication set to store incident data in multiple locations. You can add only one region at a time; attempting to add multiple regions in a single deployment fails. The provider region must always be one of the configured regions.
Beyond these examples
These snippets focus on specific replication set features: single and multi-region replication and customer managed key encryption. They’re intentionally minimal rather than complete incident management systems.
The examples may reference pre-existing infrastructure such as KMS keys for encrypted replication sets. They focus on configuring the replication set rather than provisioning the full incident management stack.
To keep things focused, common replication set patterns are omitted, including:
- Region removal operations (Example 3 shows deletion but is rarely needed)
- Deletion protection configuration (deletionProtected property)
- Key rotation and key replacement workflows
- Response plan and contact configuration (separate resources)
These omissions are intentional: the goal is to illustrate how replication set features are wired, not provide drop-in incident management modules. See the SSM Incidents ReplicationSet resource reference for all available configuration options.
Let's configure AWS Systems Manager Incident Manager Replication Sets
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Data Loss & Deletion
deletionProtected is true, the last region in a replication set cannot be deleted. This prevents accidental deletion of the entire replication set.Region Management
regions array and deploy separately for each region change.KMS Key Configuration
kmsKeyArn for each region in the regions array, pointing to your KMS key ARN.Using a different cloud?
Explore integration guides for other cloud providers: