• The Amazon Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). # Turn on KMS key encryption of session data (console) Use Amazon Key Management Service (Amazon KMS) to create and manage encryption keys. With Amazon KMS, you can control the use of encryption across a wide range of Amazon Web Services services and in your applications. You can specify that session data transmitted between your managed nodes and the local machines of users in your Amazon Web Services account is encrypted using KMS key encryption. (This is in addition to the TLS 1.2/1.3 encryption that Amazon already provides by default.) To encrypt Session Manager session data, create a *symmetric* KMS key using Amazon KMS. Amazon KMS encryption is available for `Standard_Stream`, `InteractiveCommands`, and `NonInteractiveCommands` session types. To use the option to encrypt session data using a key created in Amazon KMS, version 2.3.539.0 or later of Amazon Systems Manager SSM Agent must be installed on the managed node. **Note** You must allow Amazon KMS encryption in order to reset passwords on your managed nodes from the Amazon Systems Manager console. For more information, see [Reset a password on a managed node](fleet-manager-reset-password.md#managed-instance-reset-a-password). You can use a key that you created in your Amazon Web Services account. You can also use a key that was created in a different Amazon Web Services account. The creator of the key in a different Amazon Web Services account must provide you with the permissions needed to use the key. After you turn on KMS key encryption for your session data, both the users who start sessions and the managed nodes that they connect to must have permission to use the key. You provide permission to use the KMS key with Session Manager through Amazon Identity and Access Management (IAM) policies. For information, see the following topics: + Add Amazon KMS permissions for users in your account: [Sample IAM policies for Session Manager](getting-started-restrict-access-quickstart.md). + Add Amazon KMS permissions for managed nodes in your account: [Step 2: Verify or add instance permissions for Session Manager](session-manager-getting-started-instance-profile.md). For more information about creating and managing KMS keys, see the [https://docs.amazonaws.cn/kms/latest/developerguide/](https://docs.amazonaws.cn/kms/latest/developerguide/). For information about using the Amazon CLI to turn on KMS key encryption of session data in your account, see [Create a Session Manager preferences document (command line)](getting-started-create-preferences-cli.md) or [Update Session Manager preferences (command line)](getting-started-configure-preferences-cli.md). **Note** There is a charge to use KMS keys. For information, see [Amazon Key Management Service pricing](https://www.amazonaws.cn/kms/pricing/). **To turn on KMS key encryption of session data (console)** 1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/). 1. In the navigation pane, choose **Session Manager**. 1. Choose the **Preferences** tab, and then choose **Edit**. 1. Select the check box next to **Enable KMS encryption**. 1. Do one of the following: + Choose the button next to **Select a KMS key in my current account**, then select a key from the list. -or- Choose the button next to **Enter a KMS key alias or KMS key ARN**. Manually enter a KMS key alias for a key created in your current account, or enter the key Amazon Resource Name (ARN) for a key in another account. The following are examples: + Key alias: `alias/my-kms-key-alias` + Key ARN: `arn:aws-cn:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE` -or- Choose **Create new key** to create a new KMS key in your account. After you create the new key, return to the **Preferences** tab and select the key for encrypting session data in your account. For more information about sharing keys, see [Allowing External Amazon Web Services accounts to Access a key](https://docs.amazonaws.cn/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-external-accounts) in the *Amazon Key Management Service Developer Guide*. 1. Choose **Save**.