diff --git a/.changelog/36311.txt b/.changelog/36311.txt
new file mode 100644
index 00000000000..bd8f59571b1
--- /dev/null
+++ b/.changelog/36311.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_cognito_identity_provider: Ensure read-only property ActiveEncryptionCertificate is not used in UpdateIdentityProvider request
+```
\ No newline at end of file
diff --git a/internal/service/cognitoidp/identity_provider.go b/internal/service/cognitoidp/identity_provider.go
index 2c055c76ab8..76e87cdc8b4 100644
--- a/internal/service/cognitoidp/identity_provider.go
+++ b/internal/service/cognitoidp/identity_provider.go
@@ -201,7 +201,9 @@ func resourceIdentityProviderUpdate(ctx context.Context, d *schema.ResourceData,
 	}
 
 	if d.HasChange("provider_details") {
-		params.ProviderDetails = flex.ExpandStringMap(d.Get("provider_details").(map[string]interface{}))
+		providerDetailsForUpdate := flex.ExpandStringMap(d.Get("provider_details").(map[string]interface{}))
+		delete(providerDetailsForUpdate, "ActiveEncryptionCertificate")
+		params.ProviderDetails = providerDetailsForUpdate
 	}
 
 	if d.HasChange("idp_identifiers") {