Search code examples
amazon-web-servicesamazon-cognitoapp-secret

Can I create a secret in AWS that is only available to a Cognito user but not to any other AWS user?

I need to implement some zero-knowledge stuff and wondering if I can:

  • Create a User in my platform
  • Create a Cognito User associated with this user
  • Do some client-side magic and push a secret key into the *any-storage*
  • This secret key shouldn't be accessible to ANYONE (even to AWS super-duper admins) but this specific user.

Could it be implemented somehow? Thank you!

Solution

  • No.

    AWS account admins will have access to anything any users have access to, from AWS. There are a couple options I could think of:

    1. Use asymmetric KMS keys? They have the nifty feature that the private key never leaves KMS (you / the user do all your operations with the private key by calling KMS).

    2. Keep a user private key securely on the client side. If you want to store something secret in the cloud, encrypt it with the private key before storing it. It doesn't matter that the admin can access it, because it's encrypted.