This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SageMaker::FeatureGroup OnlineStoreSecurityConfig The security configuration for `OnlineStore`. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[KmsKeyId](#cfn-sagemaker-featuregroup-onlinestoresecurityconfig-kmskeyid)" : String } ``` ### YAML ``` [KmsKeyId](#cfn-sagemaker-featuregroup-onlinestoresecurityconfig-kmskeyid): String ``` ## Properties `KmsKeyId` The Amazon Key Management Service (KMS) key ARN that SageMaker Feature Store uses to encrypt the Amazon S3 objects at rest using Amazon S3 server-side encryption. The caller (either user or IAM role) of `CreateFeatureGroup` must have below permissions to the `OnlineStore``KmsKeyId`: + `"kms:Encrypt"` + `"kms:Decrypt"` + `"kms:DescribeKey"` + `"kms:CreateGrant"` + `"kms:RetireGrant"` + `"kms:ReEncryptFrom"` + `"kms:ReEncryptTo"` + `"kms:GenerateDataKey"` + `"kms:ListAliases"` + `"kms:ListGrants"` + `"kms:RevokeGrant"` The caller (either user or IAM role) to all DataPlane operations (`PutRecord`, `GetRecord`, `DeleteRecord`) must have the following permissions to the `KmsKeyId`: + `"kms:Decrypt"` *Required*: No *Type*: String *Maximum*: `2048` *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)