Add a CMK to your account - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Add a CMK to your account

Before you begin, make sure that you have an IAM role that grants the admin user access to the Amazon QuickSight admin key management console. For more information on the required permissions, see IAM identity-based policies for Amazon QuickSight: using the admin key management console.

You can add keys that already exist in Amazon KMS to your QuickSight account, so that you can encrypt your SPICE datasets. Keys that you add only affect new datasets created in SPICE. If you have an existing SPICE dataset that you want to encrypt, perform a full refresh on the dataset to encrypt it with the default CMK.

To learn more about how you can create a key to use in QuickSight, see the Amazon Key Management Service Developer Guide.

To add a new CMK to your QuickSight account.
  1. On the QuickSight start page, choose Manage QuickSight, and then choose KMS keys.

    QuickSight dashboard with analysis tiles for Web, Sales Pipeline, Business Review, and People Overview.
  2. On the KMS keys page, choose Manage. The KMS keys dashboard opens.

    QuickSight account settings page with KMS keys option highlighted and Manage button.
  3. On the KMS Keys dashboard, choose Select key.

    KMS Keys dashboard showing no keys added, with CREATE KEY and SELECT KEY buttons.
  4. On the Select key pop-up box, choose Key to open the list. Then, select the key that you want to add.

    Select key dialog box with search field and list of KMS keys to choose from.

    If your key isn't in the list, you can manually enter the key's ARN.

  5. (Optional) Select the Use as default encryption key for all new SPICE datasets in this QuickSight account to set the selected key as your default key. A blue badge appears next to the default key to indicate its status.

    When you choose a default key, all new SPICE datasets that are created in the Region that hosts your QuickSight account are encrypted with the default key.

    KMS Keys interface showing key ARN, default status, and key aliases for encryption.
  6. (Optional) Add more keys by repeating the previous steps in this procedure. While you can add as many keys as you want, you can only have one default key at one time.

Note

To use a specific key for a existing dataset, switch the account default key to the new key, then run a full refresh on the SPICE dataset.