AWS quicksight documentation change
Summary
Expanded verification scope to all QuickSight data, added detailed CloudTrail log analysis steps for report artifact encryption
Security assessment
Enhances audit capability documentation without addressing specific vulnerabilities. Improves security posture documentation by providing concrete steps to verify CMK usage across more QuickSight components.
Diff
diff --git a/quicksight/latest/user/customer-managed-keys-verify-key.md b/quicksight/latest/user/customer-managed-keys-verify-key.md index e2ec25928..5f178694e 100644 --- a//quicksight/latest/user/customer-managed-keys-verify-key.md +++ b//quicksight/latest/user/customer-managed-keys-verify-key.md @@ -5 +5 @@ -# Verify the key used by a SPICE dataset +# Verify the key used by QuickSight @@ -7 +7,3 @@ -When a key is used, an audit log is created in AWS CloudTrail. You can use the log to track the key's usage. If you need to know which key a SPICE dataset is encrypted by, you can find this information in CloudTrail. +When a key is used, an audit log is created in AWS CloudTrail. You can use the log to track the key's usage. If you need to know which key the QuickSight data is encrypted by, you can find this information in CloudTrail. + +To learn more about which data can be managed with the key, see [Encrypting your QuickSight data with AWS Key Management Service customer-managed keys](./customer-managed-keys.html). @@ -58,0 +61,40 @@ When a key is used, an audit log is created in AWS CloudTrail. You can use the l +###### Verify the CMK that's currently used when generating report artifacts + + 1. Navigate to your CloudTrail log. For more information, see [Logging QuickSight information with AWS CloudTrail](./logging-using-cloudtrail.html). + + 2. Locate the most recent `GenerateDataKey` events for the report execution, using the following search arguments: + + * The event name (`eventName`) contains `GenerateDataKey` or `Decrypt`. + + * The request parameters (`requestParameters`) contain the QuickSight ARN for the analysis or dashboard the report was generated for. + + { + "eventVersion": "1.11", + "userIdentity": { + "type": "AWSService", + "invokedBy": "quicksight.amazonaws.com" + }, + "eventTime": "2025-07-23T23:33:46Z", + "eventSource": "kms.amazonaws.com", + "eventName": "GenerateDataKey", + "awsRegion": "us-west-2", + "sourceIPAddress": "quicksight.amazonaws.com", + "userAgent": "quicksight.amazonaws.com", + "requestParameters": { + "keyId": "arn:aws:kms:us-west-2:111122223333:key/87654321-4321-4321-4321-210987654321", + "keySpec": "AES_256", + "encryptionContext": { + "aws:quicksight:arn": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1ca456fe-eb34-4250-805c-b1b9350bd164", + "aws:s3:arn": "arn:aws:s3:::sn-imagegen.prod.us-west-2" + } + }, + ... + } + + 3. `aws:s3:arn` is the QuickSight owned S3 bucket where your report artifacts are stored. + + 4. If you no longer see `GenerateDataKey`, then new report executions are no longer CMK encrypted. Exisiting report artifacts will remain encrypted. + + + +