Revoking access to CMK-encrypted QuickSight data - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Revoking access to CMK-encrypted QuickSight data

You can revoke access to your CMK-encrypted QuickSight data. When you revoke access to a key that is used to encrypt your QuickSight data, access to the data is denied until you undo the revoke. The following methods are examples of how you can revoke access:

  • Turn off the key in Amazon KMS.

  • Add a Deny policy to your QuickSight Amazon KMS policy in IAM.

To learn more about which data can be managed with the key, see Encrypting your QuickSight data with Amazon Key Management Service customer-managed keys.

Use the following procedure to revoke access to your CMK-encrypted QuickSight data in Amazon KMS.

To turn off a CMK in Amazon Key Management Service

  1. Log in to your Amazon account, open Amazon KMS, and choose Customer managed keys.

  2. Select the key that you want to turn off.

  3. Open the Key actions menu and choose Disable.

To prevent further use of the CMK, you could add a Deny policy in Amazon Identity and Access Management (IAM). Use "Service": "quicksight.amazonaws.com" as the principal and the ARN of the key as the resource. Deny the following actions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey".

Important

After you revoke access by using any method, it can take up to 15 minutes for the data to become inaccessible.