Class AssociateKmsKeyCommandProtected

Associates the specified KMS key with the specified log group.

Associating a KMS key with a log group overrides any existing associations between the log group and a KMS key. After a KMS key is associated with a log group, all newly ingested data for the log group is encrypted using the KMS key. This association is stored as long as the data encrypted with the KMS keyis still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.

CloudWatch Logs supports only symmetric KMS keys. Do not use an associate an asymmetric KMS key with your log group. For more information, see Using Symmetric and Asymmetric Keys.

It can take up to 5 minutes for this operation to take effect.

If you attempt to associate a KMS key with a log group but the KMS key does not exist or the KMS key is disabled, you receive an InvalidParameterException error.

Example

Use a bare-bones client and the command you need to make an API call.

import { CloudWatchLogsClient, AssociateKmsKeyCommand } from "@aws-sdk/client-cloudwatch-logs"; // ES Modules import
// const { CloudWatchLogsClient, AssociateKmsKeyCommand } = require("@aws-sdk/client-cloudwatch-logs"); // CommonJS import
const client = new CloudWatchLogsClient(config);
const command = new AssociateKmsKeyCommand(input);
const response = await client.send(command);

Param

AssociateKmsKeyCommandInput

Returns

AssociateKmsKeyCommandOutput

See

• AssociateKmsKeyCommandInput for command's input shape.
• AssociateKmsKeyCommandOutput for command's response shape.
• config for CloudWatchLogsClient's config shape.

Throws

InvalidParameterException (client fault)

A parameter is specified incorrectly.

Throws

OperationAbortedException (client fault)

Multiple concurrent requests to update the same resource were in conflict.

Throws

ResourceNotFoundException (client fault)

The specified resource does not exist.

Throws

ServiceUnavailableException (server fault)

The service cannot complete the request.