AWS IAM Identity Center now supports using customer-managed AWS KMS keys (CMKs) to encrypt identity data such as user and group attributes at rest. This feature is designed for regulated industries requiring strict control over encryption keys beyond the default AWS-owned keys. Customers can manage the entire key lifecycle including creation, rotation, and deletion, while configuring granular access policies to restrict key usage to authorized principals only.
The integration generates detailed AWS CloudTrail logs aiding auditing and regulatory compliance. Identity Center supports single-Region and multi-Region CMKs to allow customers flexibility in deployment strategies, even though Identity Center instances currently operate in a single Region. Multi-Region keys enable consistent encryption material across regions, supporting future scaling and complexity.
Configuration involves creating symmetric CMKs with encrypt and decrypt permissions and defining comprehensive key policies to authorize Identity Center, its administrators, and AWS managed applications. IAM policies must be adjusted to grant cross-account access where needed. Misconfiguration of permissions can disrupt Identity Center operations and access to AWS managed applications. The feature is available across all AWS commercial, GovCloud, and China regions, with standard AWS KMS charges applying.
👉 Pročitaj original: AWS Blog
