Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Add a CMK to your account

PDF
RSS
Focus mode
Add a CMK to your account - Amazon QuickSight

Before you begin, make sure that you have an IAM role that grants the admin user access to the Amazon QuickSight admin key management console. For more information on the required permissions, see IAM identity-based policies for Amazon QuickSight: using the admin key management console.

You can add keys that already exist in AWS KMS to your QuickSight account, so that you can encrypt your SPICE datasets. Keys that you add only affect new datasets created in SPICE. If you have an existing SPICE dataset that you want to encrypt, perform a full refresh on the dataset to encrypt it with the default CMK.

To learn more about how you can create a key to use in QuickSight, see the AWS Key Management Service Developer Guide.

To add a new CMK to your QuickSight account.

  1. On the QuickSight start page, choose Manage QuickSight, and then choose KMS keys.

    QuickSight dashboard with analysis tiles for Web, Sales Pipeline, Business Review, and People Overview.

  2. On the KMS keys page, choose Manage. The KMS keys dashboard opens.

    QuickSight account settings page with KMS keys option highlighted and Manage button.

  3. On the KMS Keys dashboard, choose Select key.

    KMS Keys dashboard showing no keys added, with CREATE KEY and SELECT KEY buttons.

  4. On the Select key pop-up box, choose Key to open the list. Then, select the key that you want to add.

    Select key dialog box with search field and list of KMS keys to choose from.

    If your key isn't in the list, you can manually enter the key's ARN.

  5. (Optional) Select the Use as default encryption key for all new SPICE datasets in this QuickSight account to set the selected key as your default key. A blue badge appears next to the default key to indicate its status.

    When you choose a default key, all new SPICE datasets that are created in the Region that hosts your QuickSight account are encrypted with the default key.

    KMS Keys interface showing key ARN, default status, and key aliases for encryption.

  6. (Optional) Add more keys by repeating the previous steps in this procedure. While you can add as many keys as you want, you can only have one default key at one time.

Note

To use a specific key for a existing dataset, switch the account default key to the new key, then run a full refresh on the SPICE dataset.

Related resources

Amazon QuickSight 
Technical support 
Amazon QuickSight user forum 

Related resources

Amazon QuickSight 
Technical support 
Amazon QuickSight user forum 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.