Container for the parameters to the AssociateDatasetKmsKey operation.
Associates an Amazon Web Services Key Management Service (Amazon Web Services KMS)
customer managed key with the specified dataset. After this operation completes, all
data published to the dataset is encrypted at rest using the specified KMS key. Callers
must have kms:Decrypt permission on the key to read the encrypted data.
Only the default dataset is supported. The default dataset is implicit
for every account in every Region — you do not need to create it before calling this
operation.
You can call AssociateDatasetKmsKey on a dataset that is already associated
with a KMS key to replace the existing key with a different one. To replace a key,
the caller must have kms:Decrypt permission on both the current key and the
new key.
The KMS key that you specify must meet all of the following requirements:
It must be a symmetric encryption KMS key (key spec
SYMMETRIC_DEFAULT, key usageENCRYPT_DECRYPT). Asymmetric keys, HMAC keys, and key material types other thanSYMMETRIC_DEFAULTare not supported.It must be enabled and not pending deletion.
Its key policy must grant the CloudWatch service principal (
cloudwatch.amazonaws.com) these permissions:kms:DescribeKey,kms:GenerateDataKey,kms:Encrypt,kms:Decrypt, andkms:ReEncrypt*. Amazon CloudWatch requires these permissions to manage the data on your behalf.The calling principal must have
kms:Decryptpermission on the key.It must be specified as a fully qualified key ARN. Key IDs, aliases, and alias ARNs are not accepted.
It must be in the same Amazon Web Services Region as the dataset.
Before completing the association, Amazon CloudWatch validates the key by performing
a series of dry-run KMS operations. Service-principal checks run first to verify that
the key policy grants the required access to Amazon CloudWatch. These checks include
kms:DescribeKey, kms:GenerateDataKey, kms:Encrypt, kms:Decrypt,
and kms:ReEncrypt*. After those succeed, a kms:Decrypt dry-run is run
with the caller's credentials to verify that the calling principal can use the key.
When you are replacing an existing key, the caller's kms:Decrypt dry-run is
run on the current key first, and only then on the new key.
If any of these checks fails, the operation fails and the existing key association
(if any) remains unchanged. Common failure causes include the key being disabled,
the key policy not granting the required permissions to Amazon CloudWatch, or the
caller lacking kms:Decrypt permission on the key.
For more information about using customer managed keys with Amazon CloudWatch, see Encryption at rest with customer managed keys in the Amazon CloudWatch User Guide.
In this article ▶
Inheritance Hierarchy
Amazon.Runtime.AmazonWebServiceRequest
Amazon.CloudWatch.AmazonCloudWatchRequest
Amazon.CloudWatch.Model.AssociateDatasetKmsKeyRequest
Namespace: Amazon.CloudWatch.Model
Assembly: AWSSDK.CloudWatch.dll
Version: 3.x.y.z
Syntax
public class AssociateDatasetKmsKeyRequest : AmazonCloudWatchRequest IAmazonWebServiceRequest
The AssociateDatasetKmsKeyRequest type exposes the following members
Constructors
| Name | Description | |
|---|---|---|
|
AssociateDatasetKmsKeyRequest() |
Properties
| Name | Type | Description | |
|---|---|---|---|
|
|
DatasetIdentifier | System.String |
Gets and sets the property DatasetIdentifier.
Specifies the identifier of the dataset that you want to associate the KMS key with.
For the |
|
|
KmsKeyArn | System.String |
Gets and sets the property KmsKeyArn.
Specifies the Amazon Resource Name (ARN) of the customer managed KMS key to associate
with the dataset. The key must be a symmetric encryption KMS key (
The ARN must be in the format For more information about KMS key ARNs, see Key ARN in the Amazon Web Services Key Management Service Developer Guide. |
Version Information
.NET:
Supported in: 8.0 and newer, Core 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.7.2 and newer