Revoking access to CMK-encrypted QuickSight data

You can revoke access to your CMK-encrypted QuickSight data. When you revoke access to a key that is used to encrypt your QuickSight data, access to the data is denied until you undo the revoke. The following methods are examples of how you can revoke access:

Turn off the key in AWS KMS.
Add a Deny policy to your QuickSight AWS KMS policy in IAM.

To learn more about which data can be managed with the key, see Encrypting your QuickSight data with AWS Key Management Service customer-managed keys.

Use the following procedure to revoke access to your CMK-encrypted QuickSight data in AWS KMS.

To turn off a CMK in AWS Key Management Service

Log in to your AWS account, open AWS KMS, and choose Customer managed keys.
Select the key that you want to turn off.
Open the Key actions menu and choose Disable.

AWS KMS console showing customer managed keys with options to enable, disable, or delete.

To prevent further use of the CMK, you could add a Deny policy in AWS Identity and Access Management (IAM). Use "Service": "quicksight.amazonaws.com" as the principal and the ARN of the key as the resource. Deny the following actions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey".

Important

After you revoke access by using any method, it can take up to 15 minutes for the data to become inaccessible.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Audit key usage

Recover encrypted data