Amazon Cognito adds customer-managed KMS keys for user pools

Amazon Cognito now lets customers use customer-managed keys in AWS Key Management Service for user pool encryption at rest. AWS-owned keys remain the default, so nothing changes automatically: teams have to configure the key on a new user pool or update an existing one. Essentials and Plus tier user pools get the feature at no additional Cognito cost, while standard KMS charges still apply.

The compliance value is narrower and more useful than full control sounds. A customer-managed key lets an organization set KMS policies, manage key lifecycle and usage permissions, and revoke access to encrypted user pool data by disabling or deleting the key. CloudTrail logs for key use give auditors a cleaner trail for when and how Cognito identity data was accessed.

For federal workloads, that is key-governance evidence. It leaves two decisions with the customer: what identity data belongs in Cognito and how the service sits inside the authorization boundary. AWS’s Cognito data-protection guide says customers own security configuration and management tasks for content hosted in the service and warns against putting sensitive identifying information into free-form fields (https://docs.aws.amazon.com/cognito/latest/developerguide/data-protection.html). AWS’s FedRAMP service-scope page also tells customers to determine whether a service will process or store customer data and how it affects the compliance of the environment (https://aws.amazon.com/compliance/services-in-scope/FedRAMP/). Monday work: identify the pools that need customer-managed keys, lock down key administration, define revocation consequences for authentication, and decide what CloudTrail evidence will be retained.