Encryption at rest - Amazon IAM Identity Center
IAM Identity Center encryption contextUsing encryption context to control access to your customer managed keyMonitoring your encryption keys for IAM Identity CenterAmazon managed applications’ storage, encryption, and deletion of IAM Identity Center identity attributes
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encryption at rest

IAM Identity Center provides encryption to protect customer data at rest using the following key types:

  • Amazon owned keys (default key type) — IAM Identity Center uses these keys by default to automatically encrypt your data. You can't view, manage, audit their use, or use Amazon owned keys for other purposes. IAM Identity Center handles the key management entirely to keep your data secure, without your having to take any action. For more information, see Amazon owned keys in the Amazon Key Management Service Developer Guide.

  • Customer managed keys — In organization instances of IAM Identity Center, you can choose a symmetric customer managed key for encryption at rest of your workforce identity data such as user and group attributes. You create, own, and manage these encryption keys. Because you have full control of this layer of encryption, you can perform such tasks as:

    • Establishing and maintaining key policies to restrict access to the key to only IAM principals who need access, such as IAM Identity Center and Amazon managed applications in the same Amazon Organizations and their administrators.

    • Establishing and maintaining IAM policies for access to the key including cross-account access

    • Enabling and disabling key policies

    • Rotating key cryptographic material

    • Auditing access to your data that requires key access

    • Adding tags

    • Creating key aliases

    • Scheduling keys for deletion

To learn how to implement a customer managed KMS key in IAM Identity Center see Implementing customer managed KMS keys in Amazon IAM Identity Center. For more information about customer managed keys, see customer managed key in the Amazon Key Management Service Developer Guide.

Note

IAM Identity Center automatically enables encryption at rest using Amazon owned KMS keys to protect customer data at no charge. However, Amazon KMS charges apply when using a customer managed key. For more information about pricing, see the Amazon Key Management Service pricing.

Considerations for implementing customer managed keys:

  • Exception for existing sessions: Encryption at rest with a customer managed key also applies to workforce identity data, such as user and group attributes, temporarily stored in user sessions. When you configure a customer managed key in IAM Identity Center, the customer managed key is used to encrypt workforce identity data in new sessions. In sessions initiated prior to the release of this feature, workforce identity data remains encrypted with the default Amazon owned keys until session expiry (max 90 days) or termination, at which point this data is automatically deleted.

  • Dedicated keys: We recommend creating a new dedicated customer managed KMS key for each IAM Identity Center instance rather than reusing an existing key. This approach provides clearer separation of duties, simplifies access control management, and makes security auditing more straightforward. Having a dedicated key also reduces risk by limiting the impact of key changes to a single IAM Identity Center instance.

Note

IAM Identity Center uses envelope encryption in the encryption of your workforce identity data. Your KMS key plays the role of a wrapping key that encrypts the data key that is actually used to encrypt the data.

For more information on Amazon KMS, see What is Amazon Key Management Service?

IAM Identity Center encryption context

An encryption context is an optional set of non-secret key-value pairs that contain additional contextual information about the data. Amazon KMS uses the encryption context as additional authenticated data to support authenticated encryption. When you include an encryption context in a request to encrypt data, Amazon KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request. Refer to the Amazon KMS Developer Guide for more information about encryption context.

IAM Identity Center uses encryption context keys from the following: aws:sso:instance-arn, aws:identitystore:identitystore-arn, and tenant-key-id. For example, the following encryption context can appear in Amazon KMS API operations invoked by IAM Identity Center API. 


"encryptionContext": {
    "tenant-key-id": "ssoins-1234567890abcdef",
    "aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-1234567890abcdef"
}

The following encryption context can appear in Amazon KMS API operations invoked by Identity Store API. 


"encryptionContext": {
    "tenant-key-id": "12345678-1234-1234-1234-123456789012",
    "aws:identitystore:identitystore-arn": "arn:aws:identitystore::123456789012:identitystore/d-1234567890"
}

Using encryption context to control access to your customer managed key

You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key. Some of the key policy templates in the Advanced KMS key policy statements include such conditions to ensure the key is used only with a specific IAM Identity Center instance.

Monitoring your encryption keys for IAM Identity Center

When you use a customer managed KMS key with your IAM Identity Center instance, you can use Amazon CloudTrail or Amazon CloudWatch Logs to track requests that IAM Identity Center sends to Amazon KMS. The KMS API operations that IAM Identity Center calls are listed in Step 2: Prepare KMS key policy statements. CloudTrail events for these API operations contain the encryption context, which enables you to monitor Amazon KMS API operations called by your IAM Identity Center instance to access data encrypted by your customer managed key.

Example encryption context in a CloudTrail event of an Amazon KMS API operation: 

{
"requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx",
            "tenant-key-id": "ssoins-xxxxxxxxxxxxxxxx"
        }
    }
}

Amazon managed applications’ storage, encryption, and deletion of IAM Identity Center identity attributes

Some Amazon managed applications that you deploy with Amazon IAM Identity Center, such as Amazon Systems Manager and Amazon CodeCatalyst, store specific user and group attributes from IAM Identity Center in their own data store. Encryption at rest with a customer managed KMS key in IAM Identity Center does not extend to the IAM Identity Center user and group attributes stored in Amazon managed applications. Amazon managed applications support different encryption methods for the data they store. Finally, when you delete user and group attributes within IAM Identity Center, these Amazon managed applications may continue to store this information past its deletion in IAM Identity Center. Refer to the user guide of your Amazon managed applications for encryption and security of data stored within the applications.