Revoking access to CMK-encrypted QuickSight data
You can revoke access to your CMK-encrypted QuickSight data. When you revoke access to a key that is used to encrypt your QuickSight data, access to the data is denied until you undo the revoke. The following methods are examples of how you can revoke access:
-
Turn off the key in Amazon KMS.
-
Add a
Deny
policy to your QuickSight Amazon KMS policy in IAM.
To learn more about which data can be managed with the key, see Encrypting your QuickSight data with Amazon Key Management Service customer-managed keys.
Use the following procedure to revoke access to your CMK-encrypted QuickSight data in Amazon KMS.
To turn off a CMK in Amazon Key Management Service
-
Log in to your Amazon account, open Amazon KMS, and choose Customer managed keys.
-
Select the key that you want to turn off.
-
Open the Key actions menu and choose Disable.
To prevent further use of the CMK, you could add a Deny
policy in Amazon Identity and Access Management (IAM). Use "Service": "quicksight.amazonaws.com"
as
the principal and the ARN of the key as the resource. Deny the following
actions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*",
"kms:GenerateDataKey*", "kms:DescribeKey"
.
Important
After you revoke access by using any method, it can take up to 15 minutes for the data to become inaccessible.