AWS Security ChangesHomeSearch

AWS cognito high security documentation change

Service: cognito · 2025-11-13 · Security-related high

File: cognito/latest/developerguide/data-protection.md

Summary

Added section about searchable encryption with HMAC functions for user attributes

Security assessment

Documents new security feature using HMAC with KMS for encrypting sensitive user attributes, directly addressing data protection and PII security

Diff

diff --git a/cognito/latest/developerguide/data-protection.md b/cognito/latest/developerguide/data-protection.md
index ab328257b..83fff85bf 100644
--- a//cognito/latest/developerguide/data-protection.md
+++ b//cognito/latest/developerguide/data-protection.md
@@ -35,0 +36,21 @@ Data within Amazon Cognito is encrypted at rest in accordance with industry stan
+Amazon Cognito supports the confidentiality, integrity, and availability of personally identifiable information in user attribute searches with [searchable encryption](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/searchable-encryption.html). These Hash-based Message Authentication Code (HMAC) functions, performance-optimized for user pool datasets, map between the plaintext and encrypted values of user attributes. Amazon Cognito calculates HMAC values with the KMS key that encrypts your user pool. This protection applies to the following attributes:
+
+  * sub
+
+  * email
+
+  * phone_number
+
+  * given_name
+
+  * family_name
+
+  * name
+
+  * username
+
+  * preferred_username
+
+
+
+