Data protection in Amazon X-Ray
Amazon X-Ray always encrypts traces and related data at rest. When you need to audit and disable encryption keys for compliance or internal requirements, you can configure X-Ray to use an Amazon Key Management Service (Amazon KMS) key to encrypt data.
X-Ray provides an Amazon managed key named aws/xray
. Use this key when you just want to audit key usage in Amazon CloudTrail and don't need to manage the key itself. When you need to manage access to the key or configure key rotation, you can create a customer managed key.
When you change encryption settings, X-Ray spends some time generating and propagating data keys. While the new key is being processed, X-Ray may encrypt data with a combination of the new and old settings. Existing data is not re-encrypted when you change encryption settings.
Note
Amazon KMS charges when X-Ray uses a KMS key to encrypt or decrypt trace data.
-
Default encryption – Free.
-
Amazon managed key – Pay for key use.
-
customer managed key – Pay for key storage and use.
See Amazon Key Management Service Pricing
Note
X-Ray insights notifications sends events to Amazon EventBridge, which does not currently support customer managed keys. For more information, see Data Protection in Amazon EventBridge.
You must have user-level access to a customer managed key to configure X-Ray to use it, and to then view encrypted traces. See User permissions for encryption for more information.
Note
X-Ray does not support asymmetric KMS keys.
If X-Ray is unable to access your encryption key, it stops storing data. This can happen if your user loses access to the KMS key, or if you disable a key that's currently in use. When this happens, X-Ray shows a notification in the navigation bar.
To configure encryption settings with the X-Ray API, see Configuring sampling, groups, and encryption settings with the Amazon X-Ray API.