Verify the key used by a SPICE dataset - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Verify the key used by a SPICE dataset

When a key is used, an audit log is created in Amazon CloudTrail. You can use the log to track the key's usage. If you need to know which key a SPICE dataset is encrypted by, you can find this information in CloudTrail.

Verify the CMK that's currently used by a SPICE dataset
  1. Navigate to your CloudTrail log. For more information, see Logging QuickSight information with Amazon CloudTrail.

  2. Locate the most recent grant events for the SPICE dataset, using the following search arguments:

    • The event name (eventName) contains Grant.

    • The request parameters requestParameters contain the QuickSight ARN for the dataset.

    { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "quicksight.amazonaws.com" }, "eventTime": "2022-10-26T00:11:08Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "quicksight.amazonaws.com", "userAgent": "quicksight.amazonaws.com", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:quicksight:arn": "arn:aws-cn:quicksight:us-west-2:111122223333:dataset/12345678-1234-1234-1234-123456789012" } }, "retiringPrincipal": "quicksight.amazonaws.com", "keyId": "arn:aws-cn:kms:us-west-2:111122223333:key/87654321-4321-4321-4321-210987654321", "granteePrincipal": "quicksight.amazonaws.com", "operations": [ "Encrypt", "Decrypt", "DescribeKey", "GenerateDataKey" ] }, .... }
  3. Depending on the event type, one of the following applies:

    CreateGrant – You can find the most recently used CMK in the key ID (keyID) for the last CreateGrant event for the SPICE dataset.

    RetireGrant – If latest CloudTrail event of the SPICE dataset is RetireGrant, there is no key ID and the SPICE dataset is no longer CMK encrypted.