Key management operations

Use Amazon QuickSight key management APIs to list and update customer managed keys (CMKs) that are registered to a QuickSight account. For more information about key management in Amazon QuickSight, see Key management in the QuickSight User Guide.

Permissons

Before you begin, create or update an IAM role that contains a user permission to access and use all CMKs that are registered to your QuickSight account. At minimum, the IAM policy must contain the kms:CreateGrant, quicksight:UpdateKeyRegistration, and quicksight:DescribeKeyRegistration permissions. To see a list of IAM policy examples that can be used to grant different degrees of access to the CMKs in a account, see IAM identity-based policies for Amazon QuickSight: using the admin key management console.

CMK API Examples

The example below lists all customer managed keys that are registered to a QuickSight account.

aws quicksight describe-key-registration \
--aws-account-id AWSACCOUNTID \
--region REGION

The example below updates a CMK registration and designates a default key.

aws quicksight update-key-registration \
--aws-account-id AWSACCOUNTID \
--key-registration '[{"KeyArn": "KEYARN", "DefaultKey": true}]'
--region REGION

The example below updates the registration of two CMKs in a QuickSight account and designates one of the two updated keys as the new default key.

aws quicksight update-key-registration \
--aws-account-id AWSACCOUNTID \
--key-registration '[{"KeyArn": "KEYARN", "DefaultKey": true}, {"KeyArn": "KEYARN", "DefaultKey": false}]'
--region REGION

The example below clears all CMK registrations from a QuickSight account. Instead, QuickSight uses AWS owned keys to encrypt your resources.

aws quicksight update-key-registration \
--aws-account-id AWSACCOUNTID \
--key-registration '[]'
--region REGION