Encrypting Amazon QuickSight SPICE datasets with Amazon Key Management Service customer-managed keys - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypting Amazon QuickSight SPICE datasets with Amazon Key Management Service customer-managed keys

QuickSight enables you to encrypt your SPICE datasets with the keys you have stored in Amazon Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to Amazon KMS keys. All data access to encrypted resources in QuickSight is logged in Amazon CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed.

To create customer-managed keys (CMKs), you use Amazon Key Management Service (Amazon KMS) in the same Amazon account and Amazon Region as the Amazon QuickSight resource. A QuickSight administrator can then use a CMK to encrypt SPICE datasets and control access.

You can create and manage CMKs in the QuickSight console or with the QuickSight APIs. For more information about creating and managing CMKs with the QuickSight APIs, see Key management operations.

The following rules apply to using CMKs with resources:

  • Amazon QuickSight doesn't support asymmetric Amazon KMS keys.

  • You can have multiple CMKs and one default CMK per Amazon Web Services account per Amazon Web Services Region.

  • The key that is currently the default CMK is automatically used to encrypt new SPICE datasets.

  • By default, QuickSight resources are encrypted with QuickSight–native encryption strategies.

Note

If you use Amazon Key Management Service with Amazon QuickSight, you are billed for access and maintenance as described in the Amazon Key Management Service Pricing page. In your billing statement, the costs are itemized under Amazon KMS and not under QuickSight.

All non-customer managed keys associated with Amazon QuickSight are managed by Amazon.

Database server certificates that are not managed by Amazon are the responsibility of the customer and should be signed by a trusted CA. For more information, see Network and database configuration requirements.

Use the following topics to learn more about using CMKs with Amazon QuickSight.

Topics