Data encryption in Amazon QuickSight - Amazon QuickSight
Encryption at restEncryption in transit

Data encryption in Amazon QuickSight

Amazon QuickSight uses the following data encryption features:

  • Encryption at rest

  • Encryption in transit

  • Key management

You can find more detail about data encryption at rest and data incryption in transit in the topics listed below. For more information about key management in QuickSight see Key management.

Encryption at rest

Amazon QuickSight securely stores your Amazon QuickSight metadata. This includes the following:

  • Amazon QuickSight user data, including Amazon QuickSight user names, email addresses, and passwords. Amazon QuickSight administrators can view user names and emails, but each user's password is completely private to each user.

  • Minimal data necessary to coordinate user identification with your Microsoft Active Directory or identity federation implementation (Federated Single Sign-On (IAM Identity Center) through Security Assertion Markup Language 2.0 (SAML 2.0)).

  • Data source connection data

  • Amazon QuickSight data source credentials (username and password) or OAuth tokens to establish a data source connection are encrypted with the customers default CMK when customer registers a CMK with QuickSight. If the customer does not register a CMK with QuickSight, we will continue to encrypt the information using a QuickSight owned AWS KMS key.

  • Names of your uploaded files, data source names, and data set names.

  • Statistics that Amazon QuickSight uses to populate machine learning (ML) insights

Amazon QuickSight securely stores your Amazon QuickSight data. This includes the following:

  • Data-at-rest in SPICE is encrypted using hardware block-level encryption with AWS-managed keys.

  • Data-at-rest other than SPICE is encrypted using Amazon-managed KMS keys. This includes the following:

    • Email reports

    • Sample value for filters

When you delete a user, all of that user's metadata is permanently deleted. If you don't transfer that user's Amazon QuickSight objects to another user, all of the deleted user's Amazon QuickSight objects (data sources, datasets, analyses, and so on) are also deleted. When you unsubscribe from Amazon QuickSight, all metadata and any data you have in SPICE is completely and permanently deleted.

Encryption in transit

Amazon QuickSight supports encryption for all data transfers. This includes transfers from the data source to SPICE, or from SPICE to the user interface. However, encryption isn't mandatory. For some databases, you can choose whether transfers from the data source are encrypted or not. Amazon QuickSight secures all encrypted transfers by using Secure Sockets Layer (SSL).