Encryption at Rest - Amazon QuickSight

Encryption at Rest

Amazon QuickSight securely stores your Amazon QuickSight metadata. This includes the following:

  • Amazon QuickSight user data, including Amazon QuickSight user names, email addresses, and passwords. Amazon QuickSight administrators can view user names and emails, but each user's password is completely private to each user.

  • Minimal data necessary to coordinate user identification with your Microsoft Active Directory or identity federation implementation (Federated Single Sign-On (SSO) through Security Assertion Markup Language 2.0 (SAML 2.0)).

  • Data source connection data

  • Names of your uploaded files, data source names, and data set names.

  • Statistics that Amazon QuickSight uses to populate machine learning (ML) insights

Encryption for each source that you use for data is controlled by that data source or file system. Amazon QuickSight doesn't store any actual data except metadata and data that you upload into SPICE. In Enterprise edition, data at rest in SPICE is encrypted using block-level encryption with AWS-managed keys. In Standard edition, data at rest in SPICE is securely stored, but not encrypted. For information about upgrading to Enterprise edition, see Upgrading Your Amazon QuickSight Subscription from Standard Edition to Enterprise Edition.

When you delete a user, all of that user's metadata is permanently deleted. If you don't transfer that user's Amazon QuickSight objects to another user, all of the deleted user's Amazon QuickSight objects (data sources, datasets, analyses, and so on) are also deleted. When you unsubscribe from Amazon QuickSight, all metadata and any data you have in SPICE is completely and permanently deleted.