DisassociateDatasetKmsKey - Amazon CloudWatch
Request ParametersErrorsSee Also
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

DisassociateDatasetKmsKey

Removes the customer managed AWS Key Management Service (AWS KMS) key association from the specified dataset. After this operation completes, data that you publish to the dataset is encrypted at rest using an AWS owned key managed by Amazon CloudWatch.

Only the default dataset is supported. To call this operation, the dataset must currently have a customer managed KMS key associated with it. If the dataset has no associated KMS key, the operation fails with ResourceNotFoundException.

Amazon CloudWatch performs a dry-run kms:Decrypt call on the key as part of this operation. This verifies that the caller is authorized to use the currently associated key. The caller must have kms:Decrypt permission on the currently associated key, and the key must be enabled and accessible. If the key has been disabled or scheduled for deletion, you must first re-enable or restore it before you can disassociate it from the dataset.

Important

Disassociating a KMS key from a dataset does not immediately remove the kms:Decrypt requirement on data plane operations. For up to three hours after disassociation, callers must continue to have kms:Decrypt permission on the previously associated key. Some data may still be encrypted with that key during this window. After this enforcement window elapses, the kms:Decrypt requirement is lifted.

For more information about using customer managed keys with Amazon CloudWatch, see Encryption at rest with customer managed keys in the Amazon CloudWatch User Guide.

Request Parameters

DatasetIdentifier

Specifies the identifier of the dataset from which to remove the KMS key association. For the default dataset, you can specify either default or the full dataset Amazon Resource Name (ARN) in the format arn:aws:cloudwatch:Region:account-id:dataset/default.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: (default|arn:[a-zA-Z0-9-]+:cloudwatch:[a-zA-Z0-9-]*:\d{12}:dataset/default)

Required: Yes

Errors

For information about the errors that are common to all actions, see Common Error Types.

ConflictException

This operation attempted to create a resource that already exists.

HTTP Status Code: 409

ResourceNotFoundException

The named resource does not exist.

HTTP Status Code: 404

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: