AWS Security ChangesHomeSearch

AWS quicksight documentation change

Service: quicksight · 2025-08-10 · Documentation low

File: quicksight/latest/user/customer-managed-keys.md

Summary

Updated documentation to generalize references from 'SPICE datasets' to 'QuickSight data', expanded encryption scope to include new report artifacts, and clarified key usage rules

Security assessment

The changes broaden encryption documentation to cover more data types beyond SPICE datasets, but there's no evidence of addressing a specific vulnerability. Enhances security documentation by clarifying CMK usage for various data types.

Diff

diff --git a/quicksight/latest/user/customer-managed-keys.md b/quicksight/latest/user/customer-managed-keys.md
index 187f93dd5..430957849 100644
--- a//quicksight/latest/user/customer-managed-keys.md
+++ b//quicksight/latest/user/customer-managed-keys.md
@@ -5 +5 @@
-# Encrypting Amazon QuickSight SPICE datasets with AWS Key Management Service customer-managed keys
+# Encrypting your QuickSight data with AWS Key Management Service customer-managed keys
@@ -7 +7 @@
-QuickSight enables you to encrypt your SPICE datasets with the keys you have stored in AWS Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to AWS KMS keys. All data access to encrypted resources in QuickSight is logged in AWS CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed. 
+QuickSight enables you to encrypt your QuickSight data with the keys you have stored in AWS Key Management Service. This provides you with the tools to audit access to data and satisfy regulatory security requirements. If you need to do so, you have the option to immediately lock down access to your data by revoking access to AWS KMS keys. All data access to encrypted resources in QuickSight is logged in AWS CloudTrail. Administrators or auditors can trace data access in CloudTrail to identify when and where data was accessed. 
@@ -9 +9 @@ QuickSight enables you to encrypt your SPICE datasets with the keys you have sto
-To create customer-managed keys (CMKs), you use AWS Key Management Service (AWS KMS) in the same AWS account and AWS Region as the Amazon QuickSight resource. A QuickSight administrator can then use a CMK to encrypt SPICE datasets and control access. 
+To create customer-managed keys (CMKs), you use AWS Key Management Service (AWS KMS) in the same AWS account and AWS Region as the Amazon QuickSight resource. A QuickSight administrator can then use a CMK to encrypt your QuickSight data and control access. 
@@ -13 +13 @@ You can create and manage CMKs in the QuickSight console or with the QuickSight
-The following rules apply to using CMKs with resources: 
+The following rules apply to using CMKs with QuickSight resources: 
@@ -19,2 +18,0 @@ The following rules apply to using CMKs with resources:
-  * The key that is currently the default CMK is automatically used to encrypt new SPICE datasets. 
-
@@ -22,0 +21,2 @@ The following rules apply to using CMKs with resources:
+  * Data currently encrypted by a CMK key will stay encrypted by the key.
+
@@ -29,0 +30,9 @@ If you use AWS Key Management Service with Amazon QuickSight, you are billed for
+The key that is currently the default CMK is automatically used to encrypt the following: 
+
+  * New SPICE datasets. Existing datasets need to be fully refreshed to be encrypted by the new default key.
+
+  * New report artifacts generated through the dashboard snapshot API, scheduled reports and exports, or dashboards.
+
+
+
+
@@ -40 +49 @@ Use the following topics to learn more about using CMKs with Amazon QuickSight.
-  * [Verify the key used by a SPICE dataset](./customer-managed-keys-verify-key.html)
+  * [Verify the key used by QuickSight](./customer-managed-keys-verify-key.html)
@@ -48 +57 @@ Use the following topics to learn more about using CMKs with Amazon QuickSight.
-  * [Revoking access to a CMK-encrypted dataset](./customer-managed-key-revoke-access.html)
+  * [Revoking access to CMK-encrypted QuickSight data](./customer-managed-key-revoke-access.html)
@@ -50 +59 @@ Use the following topics to learn more about using CMKs with Amazon QuickSight.
-  * [Recovering an encrypted SPICE dataset](./customer-managed-key-recovery.html)
+  * [Recovering encrypted QuickSight data](./customer-managed-key-recovery.html)