Revoking access to a CMK-encrypted dataset
You can revoke access to your CMK-encrypted SPICE datasets. When you revoke access to a key that is used to encrypt a dataset, access to the dataset is denied until you undo the revoke. The following methods are examples of how you can revoke access:
-
Turn off the key in Amazon KMS.
-
Add a
Deny
policy to your QuickSight KMS policy in IAM.
Use the following procedure to revoke access to your CMK-encrypted datasets in Amazon KMS.
To turn off a CMK in Amazon Key Management Service
-
Log in to your Amazon account, open Amazon KMS, and choose Customer managed keys.
-
Select the key that you want to turn off.
-
Open the Key actions menu and choose Disable.
To prevent further use of the CMK, you could add a Deny
policy in Amazon Identity and Access Management (IAM). Use "Service": "quicksight.amazonaws.com"
as
the principal and the ARN of the key as the resource. Deny the following
actions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*",
"kms:GenerateDataKey*", "kms:DescribeKey"
.
Important
After you revoke access by using any method, it can take up to 15 minutes for the SPICE dataset to become inaccessible.