AWS recently announced that its IAM Identity Center service now supports customer-managed KMS keys (CMKs) for encryption at rest. This new feature allows organizations to use their own encryption keys to secure Identity Center identity data, such as user and group attributes, providing enhanced control over data protection.

IAM Identity Center is a cloud service that centralizes the management of single sign-on (SSO) access across multiple AWS accounts and cloud applications. Until now, Identity Center data has been encrypted at rest using AWS-owned KMS keys. With the introduction of CMK support, organizations can bring their own keys to encrypt workforce identity data, aligning with compliance and security best practices.

The integration with AWS Key Management Service (KMS) is a critical development, as it hands over the control of the encryption key lifecycle—including creation, rotation, and deletion—directly to the customer. This enhances security and ensures that customers maintain full sovereignty over their encryption keys.

Additionally, this update improves audit capabilities. Detailed AWS CloudTrail logs now capture key usage activities, enabling better monitoring and compliance tracking.

Sébastien Stormacq, developer evangelist at AWS, highlights the level of control this enables: “You can configure granular access controls to keys with AWS Key Management Service (AWS KMS) key policies and IAM policies, helping to ensure that only authorized principals can access your encrypted data.” This fine-grained control is essential for enterprises operating in highly regulated industries.

The ability to use CMKs for data at rest is often a mandatory requirement for enterprises due to compliance or security strategies such as Bring Your Own Key (BYOK). Other major cloud providers also support this capability through their respective key management services, making it a standard industry practice.

Identity Center supports both single-region and multi-region keys, offering flexibility depending on deployment needs. However, it’s important to note that Identity Center instances can currently only be deployed within a single region. AWS recommends using multi-region KMS keys unless company policies require single-region keys, as multi-region keys provide consistent key material across different regions while maintaining independent key infrastructure.

This new CMK capability is now available in all AWS commercial regions, AWS GovCloud (US), and AWS China regions.

Regarding pricing, users continue to pay for IAM Identity Center usage as before. In addition, standard AWS KMS charges apply for key storage and API requests related to customer-managed keys.

Overall, the support for customer-managed KMS keys in IAM Identity Center provides organizations with stronger encryption control, enhanced audit visibility, and improved compliance posture—making it a valuable addition for enterprises managing sensitive identity data in the cloud.
https://www.infoq.com/news/2025/10/aws-identity-cmk-compliance/?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=global