Using an Amazon KMS key to encrypt your metrics exports - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using an Amazon KMS key to encrypt your metrics exports

To grant Amazon S3 Storage Lens permission to encrypt your metrics exports by using a customer managed key, you must use a key policy. To update your key policy so that you can use a KMS key to encrypt your S3 Storage Lens metrics exports, follow these steps.

To grant S3 Storage Lens permissions to encrypt data by using your KMS key
  1. Sign into the Amazon Web Services Management Console by using the Amazon Web Services account that owns the customer managed key.

  2. Open the Amazon KMS console at

  3. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  4. In the left navigation pane, choose Customer managed keys.

  5. Under Customer managed keys, choose the key that you want to use to encrypt the metrics exports. Amazon KMS keys are Region-specific and must be in the same Region as the metrics export destination S3 bucket.

  6. Under Key policy, choose Switch to policy view.

  7. To update the key policy, choose Edit.

  8. Under Edit key policy, add the following key policy to the existing key policy. To use this policy, replace the user input placeholders with your information.

    { "Sid": "Allow Amazon S3 Storage Lens use of the KMS key", "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws-cn:s3:us-east-1:source-account-id:storage-lens/your-dashboard-name", "aws:SourceAccount": "source-account-id" } } }
  9. Choose Save changes.

For more information about creating customer managed keys and using key policies, see the following topics in the Amazon Key Management Service Developer Guide:

You can also use the Amazon KMS PUT key policy API operation (PutKeyPolicy) to copy the key policy to the customer managed keys that you want to use to encrypt the metrics exports by using the REST API, Amazon CLI, and SDKs.