Amazon Cognito supports customer-managed KMS keys for data encryption
Amazon Cognito now allows user pools to use customer-managed keys from AWS Key Management Service (KMS) for encrypting data at rest. This feature provides enhanced control over encryption keys, enabling better data governance and auditing capabilities for organizations. It is available for Essentials and Plus tiers with standard KMS charges applying.
- →Customer managed KMS keys for Cognito user pool data encryption
- →Improved data governance and auditing capabilities
- →Availability and configuration options
Features (1) ›
- Customer managed KMS keys for Cognito user pool data encryption
Amazon Cognito user pools can now use customer-managed keys from AWS KMS for encrypting identity data at rest, offering greater control over encryption and access.
Enhancements (1) ›
- Improved data governance and auditing capabilities
This feature allows organizations to enforce policies, revoke access by managing keys, and monitor usage via AWS CloudTrail for enhanced data governance and visibility.
Notes (1) ›
- Availability and configuration options
Customer managed keys are available in Cognito Essentials and Plus tiers at no extra cost beyond standard AWS KMS charges. Configuration can be done via the AWS Management Console, CLI, or SDKs.
https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-cognito-customer-managed-key