amazon-web-servicesamazon-cognitoapp-secret

Can I create a secret in AWS that is only available to a Cognito user but not to any other AWS user?


I need to implement some zero-knowledge stuff and wondering if I can:

Could it be implemented somehow? Thank you!


Solution

  • No.

    AWS account admins will have access to anything any users have access to, from AWS. There are a couple options I could think of:

    1. Use asymmetric KMS keys? They have the nifty feature that the private key never leaves KMS (you / the user do all your operations with the private key by calling KMS).

    2. Keep a user private key securely on the client side. If you want to store something secret in the cloud, encrypt it with the private key before storing it. It doesn't matter that the admin can access it, because it's encrypted.