Using an Amazon KMS key to encrypt your metrics exports
To grant Amazon S3 Storage Lens permission to encrypt your metrics exports by using a customer managed key, you must use a key policy. To update your key policy so that you can use a KMS key to encrypt your S3 Storage Lens metrics exports, follow these steps.
To grant S3 Storage Lens permissions to encrypt data by using your KMS key
-
Sign into the Amazon Web Services Management Console by using the Amazon Web Services account that owns the customer managed key.
-
Open the Amazon KMS console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
In the left navigation pane, choose Customer managed keys.
-
Under Customer managed keys, choose the key that you want to use to encrypt the metrics exports. Amazon KMS keys are Region-specific and must be in the same Region as the metrics export destination S3 bucket.
-
Under Key policy, choose Switch to policy view.
-
To update the key policy, choose Edit.
-
Under Edit key policy, add the following key policy to the existing key policy. To use this policy, replace the
user input placeholders{ "Sid": "Allow Amazon S3 Storage Lens use of the KMS key", "Effect": "Allow", "Principal": { "Service": "storage-lens.s3.amazonaws.com.cn" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws-cn:s3:us-east-1:source-account-id:storage-lens/your-dashboard-name", "aws:SourceAccount": "source-account-id" } } } -
Choose Save changes.
For more information about creating customer managed keys and using key policies, see the following topics in the Amazon Key Management Service Developer Guide:
You can also use the Amazon KMS PUT key policy API operation (PutKeyPolicy