Using an Amazon KMS key to encrypt your metrics exports
To grant Amazon S3 Storage Lens permission to encrypt your metrics exports by using a customer managed key, you must use a key policy. To update your key policy so that you can use a KMS key to encrypt your S3 Storage Lens metrics exports, follow these steps.
To grant S3 Storage Lens permissions to encrypt data by using your KMS key
-
Sign into the Amazon Web Services Management Console by using the Amazon Web Services account that owns the customer managed key.
-
Open the Amazon KMS console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
In the left navigation pane, choose Customer managed keys.
-
Under Customer managed keys, choose the key that you want to use to encrypt the metrics exports. Amazon KMS keys are Region-specific and must be in the same Region as the metrics export destination S3 bucket.
-
Under Key policy, choose Switch to policy view.
-
To update the key policy, choose Edit.
-
Under Edit key policy, add the following key policy to the existing key policy. To use this policy, replace the
user input placeholders{ "Sid": "Allow Amazon S3 Storage Lens use of the KMS key", "Effect": "Allow", "Principal": { "Service": "storage-lens.s3.amazonaws.com.cn" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws-cn:s3:us-east-1:source-account-id:storage-lens/your-dashboard-name", "aws:SourceAccount": "source-account-id" } } } -
Choose Save changes.
For more information about creating customer managed keys and using key policies, see the following topics in the Amazon Key Management Service Developer Guide:
You can also use the Amazon KMS PUT key policy API operation (PutKeyPolicy
Additional permissions for S3 table bucket exports
All data in S3 tables including S3 Storage Lens metrics are encrypted with SSE-S3 encryption by default. You can choose to encrypt your Storage Lens metrics report with Amazon KMS keys (SSE-KMS). If you choose to encrypt your S3 Storage Lens metric reports with KMS keys, you must have additional permissions.
-
The user or IAM role needs the following permissions. You can grant these permissions by using the IAM console at https://console.amazonaws.cn/iam/
. -
kms:DescribeKeyon the Amazon KMS key used
-
-
On the key policy for the Amazon KMS key, you need the following permissions. You can grant these permissions by using the Amazon KMS console at https://console.amazonaws.cn/kms
. To use this policy, replace the user input placeholders{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnableSystemTablesKeyUsage", "Effect": "Allow", "Principal": { "Service": "systemtables.s3.amazonaws.com.cn" }, "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws-cn:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" } } }, { "Sid": "EnableKeyUsage", "Effect": "Allow", "Principal": { "Service": "maintenance.s3tables.amazonaws.com.cn" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws-cn:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": "<table-bucket-arn>/*" } } } ] }