Key management - Amazon QuickSight
Using AWS managed keys in QuickSightEncrypting SPICE datasets with customer-managed keys

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Key management

Using AWS managed keys in QuickSight

All non-customer managed keys associated with Amazon QuickSight are managed by AWS.

Database server certificates that are not managed by AWS are the responsibility of the customer and should be signed by a trusted CA. For more information, see Network and database configuration requirements.

Using customer-managed keys from AWS KMS with SPICE datasets in Amazon QuickSight

QuickSight enables you to encrypt your SPICE datasets using the keys you have stored in AWS Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to AWS KMS keys. All data access to encrypted datasets in QuickSight SPICE is logged in AWS CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed.

To create customer-managed keys (CMKs), you use AWS Key Management Service (AWS KMS) in the same AWS account and AWS Region as the Amazon QuickSight SPICE dataset. A QuickSight administrator can then use a CMK to encrypt SPICE datasets and control access.

The following rules apply to using CMKs with SPICE datasets:

  • Amazon QuickSight doesn't support asymmetric AWS KMS keys.

  • You can have multiple CMKs and one default CMK per AWS account per AWS Region.

  • The key that is currently the default CMK is automatically used to encrypt new SPICE datasets.

  • Some features always use QuickSight's default encryption instead of applying SPICE CMK settings:

    • Amazon S3 analytics dashboard

    • Augmenting data with Amazon SageMaker

    • Direct file uploads

    • Exporting data with the following methods:

      • Exporting visual data to a .csv, .xlsx, or .pdf file

      • Reporting data in a .csv, .xlsx, or .pdf file

    • ML-powered anomaly detection

    • QuickSight Q

Note

If you use AWS Key Management Service with Amazon QuickSight, you are billed for access and maintenance as described in the AWS Key Management Service Pricing page. In your billing statement, the costs are itemized under AWS KMS and not under QuickSight.

Add a CMK to your account

Before you begin, make sure that you have an IAM role that grants the admin user access to the Amazon QuickSight admin key management console. For more information on the required permissions, see IAM identity-based policies for Amazon QuickSight: using the admin key management console .

You can add keys that already exist in AWS KMS to your QuickSight account, so that you can encrypt your SPICE datasets. Keys that you add only affect new datasets created in SPICE. If you have an existing SPICE dataset that you want to encrypt, perform a full refresh on the dataset to encrypt it with the default CMK.

To learn more about how you can create a key to use in QuickSight, see the AWS Key Management Service Developer Guide.

To add a new CMK to your QuickSight account.

  1. On the QuickSight start page, choose Manage QuickSight, and then choose KMS keys.

  2. On the KMS keys page, choose Manage. The KMS keys dashboard opens.

  3. On the KMS Keys dashboard, choose Select key.

  4. On the Select key pop-up box, choose Key to open the list. Then, select the key that you want to add.

    If your key isn't in the list, you can manually enter the key's ARN.

  5. (Optional) Select the Use as default encryption key for all new SPICE datasets in this QuickSight account to set the selected key as your default key. A blue badge appears next to the default key to indicate its status.

    When you choose a default key, all new SPICE datasets that are created in the Region that hosts your QuickSight account are encrypted with the default key.

  6. (Optional) Add more keys by repeating the previous steps in this procedure. While you can add as many keys as you want, you can only have one default key at one time.

Note

To use a specific key for a existing dataset, switch the account default key to the new key, then run a full refresh on the SPICE dataset.

Verify the key used by a SPICE dataset

When a key is used, an audit log is created in AWS CloudTrail. You can use the log to track the key's usage. If you need to know which key a SPICE dataset is encrypted by, you can find this information in CloudTrail.

Verify the CMK that's currently used by a SPICE dataset

  1. Navigate to your CloudTrail log. For more information, see Logging operations with AWS CloudTrail.

  2. Locate the most recent grant events for the SPICE dataset, using the following search arguments:

    • The event name (eventName) contains Grant.

    • The request parameters requestParameters contain the QuickSight ARN for the dataset.

    {
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "quicksight.amazonaws.com"
    },
    "eventTime": "2022-10-26T00:11:08Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "quicksight.amazonaws.com",
    "userAgent": "quicksight.amazonaws.com",
    "requestParameters": {
        "constraints": {
            "encryptionContextSubset": {
                "aws:quicksight:arn": "arn:aws:quicksight:us-west-2:111122223333:dataset/12345678-1234-1234-1234-123456789012"
            }
        },
        "retiringPrincipal": "quicksight.amazonaws.com",
        "keyId": "arn:aws:kms:us-west-2:111122223333:key/87654321-4321-4321-4321-210987654321",
        "granteePrincipal": "quicksight.amazonaws.com",
        "operations": [
            "Encrypt",
            "Decrypt",
            "DescribeKey",
            "GenerateDataKey"
        ]
    },
....
}

  3. Depending on the event type, one of the following applies:

    CreateGrant – You can find the most recently used CMK in the key ID (keyID) for the last CreateGrant event for the SPICE dataset.

    RetireGrant – If latest CloudTrail event of the SPICE dataset is RetireGrant, there is no key ID and the SPICE dataset is no longer CMK encrypted.

Changing the default CMK

You can change the default key to another key that already exists in the KMS keys dashboard. When you change the default key, all new datasets created in SPICE are encrypted on the new key. The new default key changes how new SPICE datasets are encrypted. However, existing datasets continue to use the previous default key until the dataset is fully refreshed. To encrypt the dataset with a new default key, perform a full refresh on the dataset.

To change the default key to an existing key

  1. On the QuickSight start page, choose Manage QuickSight, and then choose KMS keys.

  2. On the KMS keys page, choose MANAGE to open the KMS keys dashboard.

  3. Navigate to the key that you want to set as your new default. Choose Actions (three dots) on the row of the key that you want to open the key's menu.

  4. Choose Set as default.

    The selected key is now your default key.

Removing CMK encryption on your QuickSight account

You can remove the default key to disable SPICE dataset encryption in your QuickSight account. Removing the key prevents new datasets from encrypting on a CMK.

To remove CMK encryption for new SPICE datasets

  1. On the QuickSight start page, choose Manage QuickSight, and then choose KMS keys.

  2. On the KMS keys page, choose Manage to open the KMS keys dashboard.

  3. Choose Actions (three dots) on the row of the default key, and then choose Delete.

  4. In the pop-up box that appears, choose Remove.

After you delete the default key from your account, QuickSight stops encrypting new SPICE datasets. Any existing encrypted datasets stay encrypted until a full refresh occurs.

Auditing CMK usage in CloudTrail

You can audit your account's CMK usage in AWS CloudTrail. To audit your key usage, log in to your AWS account, open CloudTrail, and choose Event history.

Revoking access to a CMK-encrypted dataset

You can revoke access to your CMK-encrypted SPICE datasets. When you revoke access to a key that is used to encrypt a dataset, access to the dataset is denied until you undo the revoke. The following methods are examples of how you can revoke access:

  • Turn off the key in AWS KMS.

  • Add a Deny policy to your QuickSight KMS policy in IAM.

Use the following procedure to revoke access to your CMK-encrypted datasets in AWS KMS.

To turn off a CMK in AWS Key Management Service

  1. Log in to your AWS account, open AWS KMS, and choose Customer managed keys.

  2. Select the key that you want to turn off.

  3. Open the Key actions menu and choose Disable.

To prevent further use of the CMK, you could add a Deny policy in AWS Identity and Access Management (IAM). Use "Service": "quicksight.amazonaws.com" as the principal and the ARN of the key as the resource. Deny the following actions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey".

Important

After you revoke access by using any method, it can take up to 15 minutes for the SPICE dataset to become inaccessible.

Recovering an encrypted SPICE dataset

To recover a SPICE dataset while its access is revoked

  1. Restore access to the CMK. Usually, this is enough to recover the dataset.

  2. Test the SPICE dataset to see if you can see the data.

  3. (Optional) If the data is not fully recovered, even after you restored its access to the CMK, perform a full refresh on the dataset.