AWS quicksight documentation change
Summary
Updated documentation about using customer-managed keys with Amazon QuickSight, including changes to title, terminology (from 'SPICE datasets' to 'resources'), removal of specific feature examples, addition of new topics, and reorganization of content.
Security assessment
The changes primarily focus on improving documentation about encryption features using customer-managed keys, which is a security-related topic. However, there is no evidence of a specific security vulnerability being addressed. The changes add more detailed documentation about security features like CMK usage, auditing, and recovery.
Diff
diff --git a/quicksight/latest/user/customer-managed-keys.md index db051da61..187f93dd5 100644 --- a/quicksight/latest/user/customer-managed-keys.md +++ b/quicksight/latest/user/customer-managed-keys.md @@ -5 +5 @@ -# Using customer-managed keys from AWS KMS with SPICE datasets in the Amazon QuickSight console +# Encrypting Amazon QuickSight SPICE datasets with AWS Key Management Service customer-managed keys @@ -7 +7 @@ -QuickSight enables you to encrypt your SPICE datasets using the keys you have stored in AWS Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to AWS KMS keys. All data access to encrypted datasets in QuickSight SPICE is logged in AWS CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed. +QuickSight enables you to encrypt your SPICE datasets with the keys you have stored in AWS Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to AWS KMS keys. All data access to encrypted resources in QuickSight is logged in AWS CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed. @@ -9 +9 @@ QuickSight enables you to encrypt your SPICE datasets using the keys you have st -To create customer-managed keys (CMKs), you use AWS Key Management Service (AWS KMS) in the same AWS account and AWS Region as the Amazon QuickSight SPICE dataset. A QuickSight administrator can then use a CMK to encrypt SPICE datasets and control access. +To create customer-managed keys (CMKs), you use AWS Key Management Service (AWS KMS) in the same AWS account and AWS Region as the Amazon QuickSight resource. A QuickSight administrator can then use a CMK to encrypt SPICE datasets and control access. @@ -13 +13 @@ You can create and manage CMKs in the QuickSight console or with the QuickSight -The following rules apply to using CMKs with SPICE datasets: +The following rules apply to using CMKs with resources: @@ -21 +21 @@ The following rules apply to using CMKs with SPICE datasets: - * Some features always use QuickSight's default encryption instead of applying SPICE CMK settings: + * By default, QuickSight resources are encrypted with QuickSight–native encryption strategies. @@ -23 +22,0 @@ The following rules apply to using CMKs with SPICE datasets: - * Amazon S3 analytics dashboard @@ -25 +23,0 @@ The following rules apply to using CMKs with SPICE datasets: - * Augmenting data with Amazon SageMaker AI @@ -27 +24,0 @@ The following rules apply to using CMKs with SPICE datasets: - * Direct file uploads @@ -29 +26 @@ The following rules apply to using CMKs with SPICE datasets: - * Exporting data with the following methods: +###### Note @@ -31 +28 @@ The following rules apply to using CMKs with SPICE datasets: - * Exporting visual data to a .csv, .xlsx, or .pdf file +If you use AWS Key Management Service with Amazon QuickSight, you are billed for access and maintenance as described in the [AWS Key Management Service Pricing page](https://aws.amazon.com/kms/pricing). In your billing statement, the costs are itemized under AWS KMS and not under QuickSight. @@ -33 +30 @@ The following rules apply to using CMKs with SPICE datasets: - * Reporting data in a .csv, .xlsx, or .pdf file +All non-customer managed keys associated with Amazon QuickSight are managed by AWS. @@ -35 +32 @@ The following rules apply to using CMKs with SPICE datasets: - * ML-powered anomaly detection +Database server certificates that are not managed by AWS are the responsibility of the customer and should be signed by a trusted CA. For more information, see [Network and database configuration requirements](./configure-access.html). @@ -37 +34 @@ The following rules apply to using CMKs with SPICE datasets: - * QuickSight Q +Use the following topics to learn more about using CMKs with Amazon QuickSight. @@ -38,0 +36 @@ The following rules apply to using CMKs with SPICE datasets: +###### Topics @@ -39,0 +38 @@ The following rules apply to using CMKs with SPICE datasets: + * [Add a CMK to your account](./customer-managed-keys-create-key.html) @@ -40,0 +40 @@ The following rules apply to using CMKs with SPICE datasets: + * [Verify the key used by a SPICE dataset](./customer-managed-keys-verify-key.html) @@ -42 +42,9 @@ The following rules apply to using CMKs with SPICE datasets: -###### Note + * [Changing the default CMK](./customer-managed-keys-change-default-key.html) + + * [Removing CMK encryption on your QuickSight account](./customer-managed-keys-remove-cmks.html) + + * [Auditing CMK usage in CloudTrail](./customer-managed-key-audit.html) + + * [Revoking access to a CMK-encrypted dataset](./customer-managed-key-revoke-access.html) + + * [Recovering an encrypted SPICE dataset](./customer-managed-key-recovery.html) @@ -44 +51,0 @@ The following rules apply to using CMKs with SPICE datasets: -If you use AWS Key Management Service with Amazon QuickSight, you are billed for access and maintenance as described in the [AWS Key Management Service Pricing page](https://aws.amazon.com/kms/pricing). In your billing statement, the costs are itemized under AWS KMS and not under QuickSight. @@ -46 +52,0 @@ If you use AWS Key Management Service with Amazon QuickSight, you are billed for -All non-customer managed keys associated with Amazon QuickSight are managed by AWS. @@ -48 +53,0 @@ All non-customer managed keys associated with Amazon QuickSight are managed by A -Database server certificates that are not managed by AWS are the responsibility of the customer and should be signed by a trusted CA. For more information, see [Network and database configuration requirements](./configure-access.html). @@ -56 +61 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Key management +Data encryption