Using customer-managed keys from Amazon KMS with SPICE datasets in the Amazon QuickSight console - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using customer-managed keys from Amazon KMS with SPICE datasets in the Amazon QuickSight console

QuickSight enables you to encrypt your SPICE datasets using the keys you have stored in Amazon Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to Amazon KMS keys. All data access to encrypted datasets in QuickSight SPICE is logged in Amazon CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed.

To create customer-managed keys (CMKs), you use Amazon Key Management Service (Amazon KMS) in the same Amazon account and Amazon Region as the Amazon QuickSight SPICE dataset. A QuickSight administrator can then use a CMK to encrypt SPICE datasets and control access.

You can create and manage CMKs in the QuickSight console or with the QuickSight APIs. For more information about creating and managing CMKs with the QuickSight APIs, see Key management operations.

The following rules apply to using CMKs with SPICE datasets:

  • Amazon QuickSight doesn't support asymmetric Amazon KMS keys.

  • You can have multiple CMKs and one default CMK per Amazon Web Services account per Amazon Web Services Region.

  • The key that is currently the default CMK is automatically used to encrypt new SPICE datasets.

  • Some features always use QuickSight's default encryption instead of applying SPICE CMK settings:

    • Amazon S3 analytics dashboard

    • Augmenting data with Amazon SageMaker AI

    • Direct file uploads

    • Exporting data with the following methods:

      • Exporting visual data to a .csv, .xlsx, or .pdf file

      • Reporting data in a .csv, .xlsx, or .pdf file

    • ML-powered anomaly detection

    • QuickSight Q

Note

If you use Amazon Key Management Service with Amazon QuickSight, you are billed for access and maintenance as described in the Amazon Key Management Service Pricing page. In your billing statement, the costs are itemized under Amazon KMS and not under QuickSight.

All non-customer managed keys associated with Amazon QuickSight are managed by Amazon.

Database server certificates that are not managed by Amazon are the responsibility of the customer and should be signed by a trusted CA. For more information, see Network and database configuration requirements.