diff --git a/docs/nix_keyserver_deployment.md b/docs/nix_keyserver_deployment.md
--- a/docs/nix_keyserver_deployment.md
+++ b/docs/nix_keyserver_deployment.md
@@ -37,6 +37,10 @@
 - `COMM_DATABASE_USER`: The username the keyserver uses to connect to MariaDB. Replace `<MariaDB user>` with your desired username.
 - `COMM_DATABASE_PASSWORD`: Corresponding password for the above user. Replace `<MariaDB password>` with your desired password.
 
+### Primary Secondary configuration
+
+- `COMM_NODE_ROLE`: Specifies whether a node is primary or secondary. Currently only used for AWS-hosted keyservers
+
 ### Identity service configuration
 
 - `COMM_JSONCONFIG_secrets_user_credentials`: Credentials for authenticating against the Identity service. Replace `<user>` and `<password>` with any values. In the future, they will need to be actual credentials registered with the Identity service.
diff --git a/keyserver/src/keyserver.js b/keyserver/src/keyserver.js
--- a/keyserver/src/keyserver.js
+++ b/keyserver/src/keyserver.js
@@ -90,17 +90,26 @@
   const isCPUProfilingEnabled = process.env.KEYSERVER_CPU_PROFILING_ENABLED;
   const areEndpointMetricsEnabled =
     process.env.KEYSERVER_ENDPOINT_METRICS_ENABLED;
+  const isPrimaryNode = (() => {
+    if (process.env.COMM_NODE_ROLE) {
+      return process.env.COMM_NODE_ROLE === 'primary';
+    } else {
+      return true;
+    }
+  })();
 
   if (cluster.isMaster) {
-    const didMigrationsSucceed: boolean = await migrate();
-    if (!didMigrationsSucceed) {
-      // The following line uses exit code 2 to ensure nodemon exits
-      // in a dev environment, instead of restarting. Context provided
-      // in https://github.com/remy/nodemon/issues/751
-      process.exit(2);
+    if (isPrimaryNode) {
+      const didMigrationsSucceed: boolean = await migrate();
+      if (!didMigrationsSucceed) {
+        // The following line uses exit code 2 to ensure nodemon exits
+        // in a dev environment, instead of restarting. Context provided
+        // in https://github.com/remy/nodemon/issues/751
+        process.exit(2);
+      }
     }
 
-    if (shouldDisplayQRCodeInTerminal) {
+    if (shouldDisplayQRCodeInTerminal && isPrimaryNode) {
       try {
         const aes256Key = crypto.randomBytes(32).toString('hex');
         const ed25519Key = await getContentSigningKey();
@@ -127,14 +136,18 @@
         // commServicesAccessToken. In the future, this will be necessary for
         // many keyserver operations.
         const identityInfo = await verifyUserLoggedIn();
-        // We don't await here, as Tunnelbroker communication is not needed for
-        // normal keyserver behavior yet. In addition, this doesn't return
-        // information useful for other keyserver functions.
-        ignorePromiseRejections(
-          createAndMaintainTunnelbrokerWebsocket(identityInfo),
-        );
-        if (process.env.NODE_ENV === 'development') {
-          await createAuthoritativeKeyserverConfigFiles(identityInfo.userId);
+
+        if (isPrimaryNode) {
+          // We don't await here, as Tunnelbroker communication is not needed
+          // for normal keyserver behavior yet. In addition, this doesn't
+          // return information useful for other keyserver functions.
+          ignorePromiseRejections(
+            createAndMaintainTunnelbrokerWebsocket(identityInfo),
+          );
+
+          if (process.env.NODE_ENV === 'development') {
+            await createAuthoritativeKeyserverConfigFiles(identityInfo.userId);
+          }
         }
       } catch (e) {
         console.warn(