AWS Cognito’s new customer-managed keys feature

Did you know the global average cost of a data breach was $4.44M in 2025, according to IBM and the Ponemon Institute? Ouch!

For an extra added layer of security, you may want to consider AWS Cognito’s new customer-managed keys feature.

When I first saw this, I was concerned we could see something similar to the devastating S3 Client Side Encryption attack.

Luckily, this one is a little bit different. The S3 attack encrypts the files when the request is made.

When a new user signs up, they don’t have a key of anytime to use for encryption, so Cognito has to pull the key from AWS Key Management service, which adds another layer of security that the attackers would have to get through.

My question for you is, what are you doing to not be part of those statistics? Let me know in the comments.

Looking to sharpen your team's infosec skills?

Have them check out my On-Demand Video Course on O'Reilly - Zero to Hero on AWS Security: An Animated Guide to Security in the Cloud