Verify the key used by a SPICE dataset
When a key is used, an audit log is created in Amazon CloudTrail. You can use the log to track the key's usage. If you need to know which key a SPICE dataset is encrypted by, you can find this information in CloudTrail.
Verify the CMK that's currently used by a SPICE dataset
-
Navigate to your CloudTrail log. For more information, see Logging QuickSight information with Amazon CloudTrail.
-
Locate the most recent grant events for the SPICE dataset, using the following search arguments:
-
The event name (
eventName
) containsGrant
. -
The request parameters
requestParameters
contain the QuickSight ARN for the dataset.
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "quicksight.amazonaws.com" }, "eventTime": "2022-10-26T00:11:08Z", "eventSource": "kms.amazonaws.com", "eventName": "
CreateGrant
", "awsRegion": "us-west-2", "sourceIPAddress": "quicksight.amazonaws.com", "userAgent": "quicksight.amazonaws.com", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:quicksight:arn": "arn:aws-cn:quicksight:us-west-2:111122223333:dataset/12345678-1234-1234-1234-123456789012
" } }, "retiringPrincipal": "quicksight.amazonaws.com", "keyId": "arn:aws-cn:kms:us-west-2:111122223333:key/87654321-4321-4321-4321-210987654321
", "granteePrincipal": "quicksight.amazonaws.com", "operations": [ "Encrypt", "Decrypt", "DescribeKey", "GenerateDataKey" ] }, .... } -
-
Depending on the event type, one of the following applies:
CreateGrant
– You can find the most recently used CMK in the key ID (keyID
) for the lastCreateGrant
event for the SPICE dataset.RetireGrant
– If latest CloudTrail event of the SPICE dataset isRetireGrant
, there is no key ID and the SPICE dataset is no longer CMK encrypted.