AWS cognito high security documentation change
Summary
Added section about searchable encryption with HMAC functions for user attributes
Security assessment
Documents new security feature using HMAC with KMS for encrypting sensitive user attributes, directly addressing data protection and PII security
Diff
diff --git a/cognito/latest/developerguide/data-protection.md b/cognito/latest/developerguide/data-protection.md index ab328257b..83fff85bf 100644 --- a//cognito/latest/developerguide/data-protection.md +++ b//cognito/latest/developerguide/data-protection.md @@ -35,0 +36,21 @@ Data within Amazon Cognito is encrypted at rest in accordance with industry stan +Amazon Cognito supports the confidentiality, integrity, and availability of personally identifiable information in user attribute searches with [searchable encryption](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/searchable-encryption.html). These Hash-based Message Authentication Code (HMAC) functions, performance-optimized for user pool datasets, map between the plaintext and encrypted values of user attributes. Amazon Cognito calculates HMAC values with the KMS key that encrypts your user pool. This protection applies to the following attributes: + + * sub + + * email + + * phone_number + + * given_name + + * family_name + + * name + + * username + + * preferred_username + + + +