AWS IAM Identity Center now supports customer-managed KMS keys (CMKs) for encrypting identity data at rest. Translation: enterprises can finally bring their own encryption keys instead of trusting AWS-owned keys to protect workforce identity information. For regulated industries, this isn’t a nice-to-have feature—it’s a compliance requirement.
What Changed and Why Companies Care
IAM Identity Center centralizes single sign-on (SSO) access across multiple AWS accounts and cloud applications. Your workforce identity data—user attributes, group memberships, permissions—has always been encrypted at rest, but AWS controlled those encryption keys. Now you can use your own keys through AWS Key Management Service (KMS).
This matters because controlling encryption keys means controlling access to encrypted data. When AWS manages the keys, you’re trusting their security practices. When you manage keys yourself, unauthorized access requires compromising both your AWS account and your key management infrastructure. That separation of concerns is fundamental to security architecture in regulated industries.
Alex Milanovic, senior product manager for IAM Identity Center, outlined the core benefits: complete control over encryption keys, granular access management through KMS policies, enhanced audit capabilities via CloudTrail logs, and strengthened compliance for regulated industries requiring data sovereignty.
The compliance angle drives adoption. Financial services, healthcare, government, and other heavily regulated sectors often face requirements that data encryption keys remain under customer control. Without CMK support, Identity Center wasn’t viable for organizations with those mandates—they’d need alternative identity solutions or accept compliance risk.
How Customer-Managed Keys Actually Work
The integration with AWS KMS transfers encryption key lifecycle management—creation, rotation, deletion—directly to the customer. You decide when keys get created, how often they rotate, and when they’re destroyed. AWS can’t access your encrypted identity data without your keys, even though AWS infrastructure stores that data.
Sébastien Stormacq, AWS developer evangelist, explained the granular control this enables: “You can configure granular access controls to keys with AWS KMS key policies and IAM policies, helping to ensure that only authorized principals can access your encrypted data.”
Those access controls mean you define precisely which AWS services, IAM roles, and users can use your encryption keys. Want to restrict key access to specific security teams? Create policies enforcing that. Need to log every key usage for compliance audits? CloudTrail records every API call involving your keys, creating audit trails that satisfy regulatory requirements.
The entire process gets logged through CloudTrail, providing detailed records of key usage—who accessed which keys when, what operations they performed, whether those operations succeeded or failed. For enterprises facing audits or compliance reviews, those logs provide evidence of proper key management and data access controls.
Catching Up to Azure and Google Cloud
CMK support for data at rest isn’t innovative—it’s table stakes for enterprise cloud services. Microsoft and Google have offered this capability for years through their respective key management services.
Azure Key Vault enables customers to encrypt sensitive data across Azure services with customer-managed keys, authenticating access via Microsoft Entra ID (formerly Azure Active Directory). Google Cloud KMS provides similar functionality, offering cryptographic boundaries and full key lifecycle control for data in Cloud Storage, BigQuery, and other services.
AWS supporting CMKs in Identity Center represents catching up to competitor offerings rather than leading the market. That’s not criticism—sometimes “catching up” means delivering features customers actually need rather than chasing novelty. Enterprises evaluating cloud identity solutions now have feature parity across major providers regarding encryption key management.
Single-Region vs Multi-Region Key Decision
Identity Center supports both single-region and multi-region KMS keys to accommodate different deployment requirements. Currently, Identity Center instances deploy only in single regions, but AWS recommends using multi-region keys unless company policies restrict you to single-region options.
Multi-region keys provide consistent key material across regions while maintaining independent key infrastructure in each region. This matters for disaster recovery and business continuity—if one region becomes unavailable, you can still access encrypted data using the same key material from infrastructure in another region.
The recommendation toward multi-region keys suggests AWS anticipates Identity Center eventually supporting multi-region deployments. When that happens, customers using multi-region keys won’t need to migrate or re-encrypt data—they’ll already have the infrastructure supporting global identity management.
Availability and Pricing
CMK support is available now in all AWS commercial regions, AWS GovCloud (US), and AWS China regions. That global availability matters for multinational enterprises needing consistent identity management across geographies while complying with local data sovereignty requirements.
Pricing follows standard AWS patterns: you pay for IAM Identity Center plus standard AWS KMS charges for key storage and API usage. KMS pricing is consumption-based—you pay for the number of keys you store and the API requests made to use those keys. For most organizations, KMS costs represent a small fraction of overall cloud spending, especially compared to the compliance risk of not controlling encryption keys.
What This Means for Enterprise Adoption
CMK support removes a significant barrier to Identity Center adoption for regulated industries. Organizations that previously couldn’t use Identity Center due to encryption key control requirements now have a compliant path forward. That expands Identity Center’s addressable market considerably.
For enterprises already using Identity Center, CMK adoption becomes a compliance upgrade rather than a migration project. You can enable customer-managed keys on existing Identity Center deployments without recreating identity infrastructure or disrupting user access.
The feature also signals AWS’s continued investment in enterprise identity management. Identity Center started as a relatively simple SSO service but has evolved into a comprehensive workforce identity platform. Adding CMK support demonstrates AWS understands enterprise requirements extend beyond functionality to include compliance, audit capabilities, and data sovereignty.
Whether you actually need customer-managed keys depends on your compliance requirements and security strategy. If you’re in a regulated industry or your security policies mandate key control, this feature matters significantly. If you’re not facing those requirements, AWS-managed keys probably work fine—but knowing you could control keys if needed provides valuable optionality.