Verify the key used by QuickSight - Amazon QuickSight

Verify the key used by QuickSight

When a key is used, an audit log is created in AWS CloudTrail. You can use the log to track the key's usage. If you need to know which key the QuickSight data is encrypted by, you can find this information in CloudTrail.

To learn more about which data can be managed with the key, see Encrypting your QuickSight data with AWS Key Management Service customer-managed keys.

Verify the CMK that's currently used by a SPICE dataset

  1. Navigate to your CloudTrail log. For more information, see Logging QuickSight information with AWS CloudTrail.

  2. Locate the most recent grant events for the SPICE dataset, using the following search arguments:

    • The event name (eventName) contains Grant.

    • The request parameters requestParameters contain the QuickSight ARN for the dataset.

    {
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "quicksight.amazonaws.com"
},
"eventTime": "2022-10-26T00:11:08Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "quicksight.amazonaws.com",
"userAgent": "quicksight.amazonaws.com",
"requestParameters": {
"constraints": {
    "encryptionContextSubset": {
        "aws:quicksight:arn": "arn:aws:quicksight:us-west-2:111122223333:dataset/12345678-1234-1234-1234-123456789012"
    }
},
"retiringPrincipal": "quicksight.amazonaws.com",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/87654321-4321-4321-4321-210987654321",
"granteePrincipal": "quicksight.amazonaws.com",
"operations": [
    "Encrypt",
    "Decrypt",
    "DescribeKey",
    "GenerateDataKey"
]
},
....
}

  3. Depending on the event type, one of the following applies:

    CreateGrant – You can find the most recently used CMK in the key ID (keyID) for the last CreateGrant event for the SPICE dataset.

    RetireGrant – If latest CloudTrail event of the SPICE datasets is RetireGrant, there is no key ID and the resource is no longer CMK encrypted.

Verify the CMK that's currently used when generating report artifacts

  1. Navigate to your CloudTrail log. For more information, see Logging QuickSight information with AWS CloudTrail.

  2. Locate the most recent GenerateDataKey events for the report execution, using the following search arguments:

    • The event name (eventName) contains GenerateDataKey or Decrypt.

    • The request parameters (requestParameters) contain the QuickSight ARN for the analysis or dashboard the report was generated for.

    {
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "quicksight.amazonaws.com"
    },
    "eventTime": "2025-07-23T23:33:46Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "quicksight.amazonaws.com",
    "userAgent": "quicksight.amazonaws.com",
    "requestParameters": {
        "keyId": "arn:aws:kms:us-west-2:111122223333:key/87654321-4321-4321-4321-210987654321",
        "keySpec": "AES_256",
        "encryptionContext": {
            "aws:quicksight:arn": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1ca456fe-eb34-4250-805c-b1b9350bd164",
            "aws:s3:arn": "arn:aws:s3:::sn-imagegen.prod.us-west-2"
        }
    },
    ...
}

  3. aws:s3:arn is the QuickSight owned S3 bucket where your report artifacts are stored.

  4. If you no longer see GenerateDataKey, then new report executions are no longer CMK encrypted. Exisiting report artifacts will remain encrypted.