AWS recently announced that its IAM Identity Center service supports customer-managed KMS keys (CMKs) for encryption at rest. Organizations can use their own keys to encrypt Identity Center identity data at rest.
IAM Identity Center is a cloud service that centralizes the management of single sign-on (SSO) access to multiple AWS accounts and cloud applications. While Identity Center data has always been encrypted at rest using AWS-owned KMS keys, the new CMK support allows organizations to bring their own keys to encrypt their workforce identity data, such as user and group attributes.
The integration with AWS Key Management Service (KMS) is crucial as it transfers the control of the encryption key's lifecycle (creation, rotation, and deletion) directly to the customer.
(Source: AWS News blog)
Alex Milanovic, a senior product manager, AWS IAM Identity Center, summarized the core benefits in a LinkedIn post:
- Complete control over their encryption keys.
- Granular access management for identity data via KMS and IAM policies, ensuring only authorized principals can access their encrypted data.
- Enhanced audit capabilities through detailed AWS CloudTrail logs of key usage.
- Strengthened compliance posture for regulated industries requiring data sovereignty.
Sébastien Stormacq, developer evangelist at AWS, further detailed the level of control this enables:
You can configure granular access controls to keys with AWS Key Management Service (AWS KMS) key policies and IAM policies, helping to ensure that only authorized principals can access your encrypted data.
For auditing and regulatory purposes, the entire process is logged via AWS CloudTrail, providing a detailed record of key usage. This level of granular control over encryption keys is often a prerequisite for enterprises operating in highly regulated industries.
The ability to use CMKs for data at rest is a standard requirement for enterprises due to compliance or security strategy, such as Bring Your Own Key. Other hyperscalers and products widely support it through their respective key management services.
Microsoft Azure facilitates this through Azure Key Vault, enabling customers to encrypt sensitive data across various services and authenticate access via Microsoft Entra ID. Similarly, Google Cloud offers CMKs via Cloud Key Management Service (Cloud KMS), providing a cryptographic boundary and full key lifecycle control for data in services like Cloud Storage and BigQuery.
Identity Center supports both single-region and multi-region keys to meet users' deployment needs. However, currently, Identity Center instances can only be deployed in a single region. Yet, the company recommends using multi-region AWS KMS keys unless company policies restrict users to single-region keys. It states that multi-region keys provide consistent key material across regions while maintaining independent key infrastructure in each region.
Lastly, the capability is currently available in all AWS commercial regions, AWS GovCloud (US), and AWS China regions. Furthermore, pricing-wise, users pay for Identity IAM Center, and for Standard AWS KMS charges apply for key storage and API usage.