Data protection in Amazon X-Ray - Amazon X-Ray
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Data protection in Amazon X-Ray

Amazon X-Ray always encrypts traces and related data at rest. When you need to audit and disable encryption keys for compliance or internal requirements, you can configure X-Ray to use an Amazon Key Management Service (Amazon KMS) key to encrypt data.

X-Ray provides an Amazon managed key named aws/xray. Use this key when you just want to audit key usage in Amazon CloudTrail and don't need to manage the key itself. When you need to manage access to the key or configure key rotation, you can create a customer managed key.

When you change encryption settings, X-Ray spends some time generating and propagating data keys. While the new key is being processed, X-Ray may encrypt data with a combination of the new and old settings. Existing data is not re-encrypted when you change encryption settings.

Note

Amazon KMS charges when X-Ray uses a KMS key to encrypt or decrypt trace data.

  • Default encryption – Free.

  • Amazon managed key – Pay for key use.

  • customer managed key – Pay for key storage and use.

See Amazon Key Management Service Pricing for details.

Note

X-Ray insights notifications sends events to Amazon EventBridge, which does not currently support customer managed keys. For more information, see Data Protection in Amazon EventBridge.

You must have user-level access to a customer managed key to configure X-Ray to use it, and to then view encrypted traces. See User permissions for encryption for more information.

X-Ray console

To configure X-Ray to use a KMS key for encryption using the X-Ray console

  1. Open the X-Ray console.

  2. Choose Encryption.

  3. Choose Use a KMS key.

  4. Choose a key from the dropdown menu:

    • aws/xray – Use the Amazon managed key.

    • key alias – Use a customer managed key in your account.

    • Manually enter a key ARN – Use a customer managed key in a different account. Enter the full Amazon Resource Name (ARN) of the key in the field that appears.

  5. Choose Apply.

CloudWatch console

To configure X-Ray to use a KMS key for encryption using the CloudWatch console

  1. Sign in to the Amazon Web Services Management Console and open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/.

  2. Choose Settings in the left navigation pane.

  3. Choose View settings under Encryption within the X-Ray traces section.

  4. Choose Edit in the Encryption configuration section.

  5. Choose Use a KMS key.

  6. Choose a key from the dropdown menu:

    • aws/xray – Use the Amazon managed key.

    • key alias – Use a customer managed key in your account.

    • Manually enter a key ARN – Use a customer managed key in a different account. Enter the full Amazon Resource Name (ARN) of the key in the field that appears.

  7. Choose Update encryption.

Note

X-Ray does not support asymmetric KMS keys.

If X-Ray is unable to access your encryption key, it stops storing data. This can happen if your user loses access to the KMS key, or if you disable a key that's currently in use. When this happens, X-Ray shows a notification in the navigation bar.

To configure encryption settings with the X-Ray API, see Configuring sampling, groups, and encryption settings with the Amazon X-Ray API.