Class DisassociateKmsKeyCommandProtected

Disassociates the specified KMS key from the specified log group or from all CloudWatch Logs Insights query results in the account.

When you use DisassociateKmsKey, you specify either the logGroupName parameter or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.

• Specify the logGroupName parameter to stop using the KMS key to encrypt future log events ingested and stored in the log group. Instead, they will be encrypted with the default CloudWatch Logs method. The log events that were ingested while the key was associated with the log group are still encrypted with that key. Therefore, CloudWatch Logs will need permissions for the key whenever that data is accessed.

• Specify the resourceIdentifier parameter with the query-result resource to stop using the KMS key to encrypt the results of all future StartQuery operations in the account. They will instead be encrypted with the default CloudWatch Logs method. The results from queries that ran while the key was associated with the account are still encrypted with that key. Therefore, CloudWatch Logs will need permissions for the key whenever that data is accessed.

It can take up to 5 minutes for this operation to take effect.

Example

Use a bare-bones client and the command you need to make an API call.

import { CloudWatchLogsClient, DisassociateKmsKeyCommand } from "@aws-sdk/client-cloudwatch-logs"; // ES Modules import
// const { CloudWatchLogsClient, DisassociateKmsKeyCommand } = require("@aws-sdk/client-cloudwatch-logs"); // CommonJS import
const client = new CloudWatchLogsClient(config);
const input = { // DisassociateKmsKeyRequest
  logGroupName: "STRING_VALUE",
  resourceIdentifier: "STRING_VALUE",
};
const command = new DisassociateKmsKeyCommand(input);
const response = await client.send(command);
// {};

Param

DisassociateKmsKeyCommandInput

Returns

DisassociateKmsKeyCommandOutput

See

• DisassociateKmsKeyCommandInput for command's input shape.
• DisassociateKmsKeyCommandOutput for command's response shape.
• config for CloudWatchLogsClient's config shape.

Throws

InvalidParameterException (client fault)

A parameter is specified incorrectly.

Throws

OperationAbortedException (client fault)

Multiple concurrent requests to update the same resource were in conflict.

Throws

ResourceNotFoundException (client fault)

The specified resource does not exist.

Throws

ServiceUnavailableException (server fault)

The service cannot complete the request.

Throws

CloudWatchLogsServiceException

Base exception class for all service exceptions from CloudWatchLogs service.