Data protection in Amazon Cognito
The AWS shared responsibility model
applies to data protection in Amazon Cognito (Amazon Cognito). As described in this model, AWS is
responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are
responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use.
For more information about data privacy, see the Data Privacy FAQ.
For data protection purposes, we recommend that you protect AWS account credentials and
set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the
permissions necessary to fulfill their job duties. We also recommend that you secure your data
in the following ways:
-
Use multi-factor authentication (MFA) with each account.
-
Use SSL/TLS to communicate with AWS resources.
-
Set up API and user activity logging with AWS CloudTrail.
-
Use AWS encryption solutions, along with all default security controls within AWS
services.
-
Use advanced managed security services such as Amazon Macie, which assists in discovering
and securing personal data that is stored in Amazon S3.
We strongly recommend that you never put sensitive identifying information, such as your
customers' account numbers, into free-form fields such as a Name field. This includes when you work with Amazon Cognito or other AWS
services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into
Amazon Cognito or other services might get picked up for inclusion in diagnostic logs. When you
provide a URL to an external server, don't include credentials information in the URL to
validate your request to that server.
Data encryption
Data encryption typically falls into two categories: encryption at rest and encryption
in transit.
Encryption at rest
Data within Amazon Cognito user pools and identity pools is encrypted at rest in accordance
with industry standards.
-
Amazon Cognito encrypts customer data in identity pools with AWS owned
keys. You can't change this behavior.
-
By default, Amazon Cognito also encrypts
customer data in user pools with AWS owned keys. You can also configure
your user pools to instead encrypt your customers' information with customer
managed keys.
- AWS owned key
-
Amazon Cognito encrypts the data in your user pool or identity pool with an
AWS owned KMS key. Keys of this type aren't visible in
AWS KMS.
- Customer managed key
-
Amazon Cognito encrypts the data in your user pool with a customer managed key.
You own the administration of customer managed key policies, rotation,
and scheduled deletion.
Encryption with customer managed keys might not be available in
some user pools. Newly-created user pools always have this form of
encryption available to them.
Things to know about user pool encryption with customer managed keys
-
All customer data in user pools is encrypted at rest, even if you take no
action to configure encryption settings.
-
Amazon Cognito supports only symmetric KMS keys in the same AWS Region as your
user pool for user pool encryption at rest. You can't configure user pool
encryption at rest with asymmetric
keys. You can configure encryption at rest with single-Region
keys and with multi-Region keys that are in the same Region as your user
pool.
-
You can configure user pool encryption only with a KMS key ARN, not an
alias.
PII encryption
Amazon Cognito supports the confidentiality, integrity, and availability of personally
identifiable information (PII) in user attribute searches with searchable encryption. These Hash-based Message Authentication Code
(HMAC) functions, performance-optimized for user pool datasets, map between the
plaintext and encrypted values of user attributes. Amazon Cognito calculates HMAC values
with the KMS key that encrypts your user pool. This protection applies to the
following attributes:
-
sub
-
email
-
phone_number
-
given_name
-
family_name
-
name
-
username
-
preferred_username
-
cognito:user_status
The following procedures configure encryption at rest in your user pool. For more
information about KMS key policies that delegate access to AWS services like
Amazon Cognito, see Permissions for Amazon Cognito
in key policies.
- Set customer managed key policy
-
To use a customer managed key, your key must trust an Amazon Cognito service
principal to perform encryption and decryption operations on the key.
Configure the key policy
of your KMS key as shown in the following example. The IAM principal
that writes this policy must have write access to your KMS key, with
kms:PutKeyPolicy permission.
{
"Id": "cognito-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Amazon Cognito service access",
"Effect": "Allow",
"Principal": {
"Service": [
"cognito-idp.amazonaws.com",
"identitystore.amazonaws.com"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKeyWithoutPlainText"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
]
},
"StringEquals": {
"aws:SourceAccount": [
"111122223333"
]
},
"StringLike": {
"kms:EncryptionContext:aws:cognito-idp:userpool-arn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
}
}
},
{
"Sid": "Allow Amazon Cognito service DescribeKey access",
"Effect": "Allow",
"Principal": {
"Service": [
"cognito-idp.amazonaws.com",
"identitystore.amazonaws.com"
]
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
]
},
"StringEquals": {
"aws:SourceAccount": [
"111122223333"
]
}
}
},
{
"Sid": "Allow access through Amazon Cognito for all principals in account that are authorized to use Amazon Cognito",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"cognito-idp.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "Allow access through Amazon Cognito for all principals in account that are authorized to use Amazon Cognito",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKeyWithoutPlainText"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"cognito-idp.us-east-1.amazonaws.com"
]
},
"StringLike": {
"kms:EncryptionContext:aws:cognito-idp:userpool-arn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
}
}
},
{
"Sid": "Allow administrators to manage the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
- Set customer managed key policy with permissions for encryption of
exported logs
-
Apply this policy to your KMS key when you have log export configured.
This policy permits Amazon Cognito to encrypt logs as it exports them, and the
intermediate service to decrypt them before writing them to your CloudWatch Logs
log group. Configure the key policy
of your KMS key as shown in the following example. The IAM principal
that writes this policy must have write access to your KMS key, with
kms:PutKeyPolicy permission.
{
"Id": "cognito-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Amazon Cognito service access",
"Effect": "Allow",
"Principal": {
"Service": [
"cognito-idp.amazonaws.com",
"identitystore.amazonaws.com"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKeyWithoutPlainText"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
]
},
"StringEquals": {
"aws:SourceAccount": [
"111122223333"
]
},
"StringLike": {
"kms:EncryptionContext:aws:cognito-idp:userpool-arn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
}
}
},
{
"Sid": "Allow Amazon Cognito service DescribeKey access",
"Effect": "Allow",
"Principal": {
"Service": [
"cognito-idp.amazonaws.com",
"identitystore.amazonaws.com"
]
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
]
},
"StringEquals": {
"aws:SourceAccount": [
"111122223333"
]
}
}
},
{
"Sid": "Allow access through Amazon Cognito for all principals in account that are authorized to use Amazon Cognito",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"cognito-idp.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "Allow access through Amazon Cognito for all principals in account that are authorized to use Amazon Cognito",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKeyWithoutPlainText"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"cognito-idp.us-east-1.amazonaws.com"
]
},
"StringLike": {
"kms:EncryptionContext:aws:cognito-idp:userpool-arn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
}
}
},
{
"Sid": "Allow Amazon Cognito service log delivery access",
"Effect": "Allow",
"Principal": {
"Service": [
"cognito-idp.amazonaws.com"
]
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:SourceArn": "arn:aws:logs:us-east-1:111122223333:*"
}
}
},
{
"Sid": "Allow IngestionHub service log delivery access",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:SourceArn": "arn:aws:logs:us-east-1:111122223333:*"
}
}
},
{
"Sid": "Allow administrators to manage the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
- Configure encryption at rest in the console
-
To configure encryption at rest in a user pool
-
Go to the Amazon Cognito
console. You might be prompted for your AWS
credentials.
-
Choose User Pools.
-
Choose an existing user pool from the list, or create a user pool.
-
Choose the Settings menu and navigate to
the User pool security tab. Locate
Encryption at rest and select
Edit.
-
Under Key type, select either
AWS owned key or Customer
managed key.
-
If you selected AWS owned key,
no additional configuration is required.
-
If you selected Customer managed
key, enter the ARN of a KMS key into
Customer managed key ARN. You
can also choose Create an AWS KMS key
and open a new window in the AWS KMS console to create a
new KMS key.
-
Choose Save changes.
- Configure encryption at rest with the API
-
Set your key configuration in a CreateUserPool or UpdateUserPool API request. The following partial example
request body sets a user pool to use the provided customer managed key.
For a complete example request, see Examples.
"KeyConfiguration": {
"KeyType": "CUSTOMER_MANAGED_KEY",
"KmsKeyArn": "arn:aws:kms:us-east-1:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
The following partial example request body sets a user pool to use an
AWS owned key.
"KeyConfiguration": {
"KeyType": "AWS_OWNED_KEY"
},
If your DescribeUserPool response doesn't include a
KeyConfiguration parameter, your user pool is
configured to encrypt data at rest with an AWS owned key.
Encryption in transit
As a managed service, Amazon Cognito is protected by AWS global network security. For
information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security. To design your AWS
environment using the best practices for infrastructure security, see Infrastructure
Protection in Security Pillar AWS Well‐Architected
Framework.
You use AWS published API calls to access Amazon Cognito through the network. Clients must
support the following:
-
Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
-
Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral
Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems
such as Java 7 and later support these modes.
Amazon Cognito user pools and identity pools have IAM-authenticated, unauthenticated, and
token-authorized API operations. Some are control
plane-type operations for administrative operations like configuring a
user pool domain, and others are data plane-type
operations for authentication. For more information, see List of API operations grouped by authorization model.
All classes of Amazon Cognito API operations share a namespace—cognito-idp
for user pools, cognito-identity for identity pools—and service
endpoints. AWS service
endpoints require encryption in transit with a minimum TLS version of
1.2.
Amazon Cognito user pools host managed login and
the classic hosted UI on web domains that are served from service-owned Amazon CloudFront
distributions. Amazon Cognito manages the settings for encryption in transit on those
distributions. For more information about the encryption settings for managed login, see
TLS version in the
managed login chapter.
