Revoking access to a CMK-encrypted dataset - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Revoking access to a CMK-encrypted dataset

You can revoke access to your CMK-encrypted SPICE datasets. When you revoke access to a key that is used to encrypt a dataset, access to the dataset is denied until you undo the revoke. The following methods are examples of how you can revoke access:

  • Turn off the key in Amazon KMS.

  • Add a Deny policy to your QuickSight KMS policy in IAM.

Use the following procedure to revoke access to your CMK-encrypted datasets in Amazon KMS.

To turn off a CMK in Amazon Key Management Service
  1. Log in to your Amazon account, open Amazon KMS, and choose Customer managed keys.

  2. Select the key that you want to turn off.

  3. Open the Key actions menu and choose Disable.

To prevent further use of the CMK, you could add a Deny policy in Amazon Identity and Access Management (IAM). Use "Service": "quicksight.amazonaws.com" as the principal and the ARN of the key as the resource. Deny the following actions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey".

Important

After you revoke access by using any method, it can take up to 15 minutes for the SPICE dataset to become inaccessible.