Cognito resource replication with Arpio

Arpio supports replication of Cognito entities to the recovery environment, making it possible to easily recovery workloads that use Cognito for user management and authentication.

Arpio provisions the following resource types from Amazon Cognito.

Cognito User Pool

Arpio replicates selected user pools to the recovery environment. Users and groups within the user pools are bulk-imported into the user pool when a recovery test or a failover is performed.

It is not possible to replicate user passwords from the production environment into the recovery environment, because those "secrets" can not be read from the production environment. Accordingly, when Arpio replicates users to the recovery environment, those users are created in a FORCE_CHANGE_PASSWORD state, and a password reset is required. This limitation does not apply for SAML-authenticated users.

Users created in the recovery environment user pools are given a new unique subject ID (the user attribute called "sub"). To facilitate correlating users in the recovery environment to their identity in the production environment, Arpio stores their production environment sub in a custom attribute called "arpio_sub". You will see this attribute on users in the recovery environment as "custom:arpio_sub".

Arpio does not replicate Lambda handlers on user pools, nor does it replicate SES email configuration. Email configuration requires an AWS support ticket to enable sending from the recovery account. This configuration can be done manually through the AWS console to enable email delivery from the recovery environment.

Cognito User Pool Client

Arpio replicates user pool clients to the recovery environment. All user pool client attributes are replicated, except for the optional Pinpoint Analytics integration.

Cognito Identity Provider

Arpio replicates identity providers identically to the recovery environment. During a failover, though, your customers will need to reference the assertion consumer service associated with Cognito in your recovery region. Depending on the configuration of their identity provider, they may also need to reference the entity ID of the user pool in recovery environment.