Amazon CloudWatch

2026/06/09 - Amazon CloudWatch - 3 new api methods

Changes  This release adds the APIs (AssociateDatasetKmsKey, DisassociateDatasetKmsKey, GetDataset) to manage encryption at rest for OpenTelemetry metrics in CloudWatch using AWS KMS customer managed keys.

AssociateDatasetKmsKey (new) Link ¶

Associates an Amazon Web Services Key Management Service (Amazon Web Services KMS) customer managed key with the specified dataset. After this operation completes, all data published to the dataset is encrypted at rest using the specified KMS key. Callers must have kms:Decrypt permission on the key to read the encrypted data.

Only the default dataset is supported. The default dataset is implicit for every account in every Region — you do not need to create it before calling this operation.

You can call AssociateDatasetKmsKey on a dataset that is already associated with a KMS key to replace the existing key with a different one. To replace a key, the caller must have kms:Decrypt permission on both the current key and the new key.

The KMS key that you specify must meet all of the following requirements:

  • It must be a symmetric encryption KMS key (key spec SYMMETRIC_DEFAULT, key usage ENCRYPT_DECRYPT). Asymmetric keys, HMAC keys, and key material types other than SYMMETRIC_DEFAULT are not supported.

  • It must be enabled and not pending deletion.

  • Its key policy must grant the CloudWatch service principal ( cloudwatch.amazonaws.com) these permissions: kms:DescribeKey, kms:GenerateDataKey, kms:Encrypt, kms:Decrypt, and kms:ReEncrypt*. Amazon CloudWatch requires these permissions to manage the data on your behalf.

  • The calling principal must have kms:Decrypt permission on the key.

  • It must be specified as a fully qualified key ARN. Key IDs, aliases, and alias ARNs are not accepted.

  • It must be in the same Amazon Web Services Region as the dataset.

Before completing the association, Amazon CloudWatch validates the key by performing a series of dry-run KMS operations. Service-principal checks run first to verify that the key policy grants the required access to Amazon CloudWatch. These checks include kms:DescribeKey, kms:GenerateDataKey, kms:Encrypt, kms:Decrypt, and kms:ReEncrypt*. After those succeed, a kms:Decrypt dry-run is run with the caller's credentials to verify that the calling principal can use the key. When you are replacing an existing key, the caller's kms:Decrypt dry-run is run on the current key first, and only then on the new key.

If any of these checks fails, the operation fails and the existing key association (if any) remains unchanged. Common failure causes include the key being disabled, the key policy not granting the required permissions to Amazon CloudWatch, or the caller lacking kms:Decrypt permission on the key.

For more information about using customer managed keys with Amazon CloudWatch, see Encryption at rest with customer managed keys in the Amazon CloudWatch User Guide.

See also: AWS API Documentation

Request Syntax

client.associate_dataset_kms_key(
    DatasetIdentifier='string',
    KmsKeyArn='string'
)
type DatasetIdentifier:

string

param DatasetIdentifier:

[REQUIRED]

Specifies the identifier of the dataset that you want to associate the KMS key with. For the default dataset, you can specify either default or the full dataset Amazon Resource Name (ARN) in the format arn:aws:cloudwatch:Region:account-id:dataset/default.

type KmsKeyArn:

string

param KmsKeyArn:

[REQUIRED]

Specifies the Amazon Resource Name (ARN) of the customer managed KMS key to associate with the dataset. The key must be a symmetric encryption KMS key ( SYMMETRIC_DEFAULT) in the same Amazon Web Services Region as the dataset.

The ARN must be in the format ``arn:aws:kms:Region:account-id:key/key-id ``. Key IDs, aliases, and alias ARNs are not accepted.

For more information about KMS key ARNs, see Key ARN in the Amazon Web Services Key Management Service Developer Guide.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

DisassociateDatasetKmsKey (new) Link ¶

Removes the customer managed Amazon Web Services Key Management Service (Amazon Web Services KMS) key association from the specified dataset. After this operation completes, data that you publish to the dataset is encrypted at rest using an Amazon Web Services owned key managed by Amazon CloudWatch.

Only the default dataset is supported. To call this operation, the dataset must currently have a customer managed KMS key associated with it. If the dataset has no associated KMS key, the operation fails with ResourceNotFoundException.

Amazon CloudWatch performs a dry-run kms:Decrypt call on the key as part of this operation. This verifies that the caller is authorized to use the currently associated key. The caller must have kms:Decrypt permission on the currently associated key, and the key must be enabled and accessible. If the key has been disabled or scheduled for deletion, you must first re-enable or restore it before you can disassociate it from the dataset.

For more information about using customer managed keys with Amazon CloudWatch, see Encryption at rest with customer managed keys in the Amazon CloudWatch User Guide.

See also: AWS API Documentation

Request Syntax

client.disassociate_dataset_kms_key(
    DatasetIdentifier='string'
)
type DatasetIdentifier:

string

param DatasetIdentifier:

[REQUIRED]

Specifies the identifier of the dataset from which to remove the KMS key association. For the default dataset, you can specify either default or the full dataset Amazon Resource Name (ARN) in the format arn:aws:cloudwatch:Region:account-id:dataset/default.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetDataset (new) Link ¶

Returns information about the specified dataset. This includes its identifier, Amazon Resource Name (ARN), and any customer managed Amazon Web Services Key Management Service (Amazon Web Services KMS) key that is currently associated with it.

Only the default dataset is supported. The default dataset is implicit for every account in every Region — you can call GetDataset for it without first creating it. If no customer managed KMS key has been associated with the dataset, the response omits the KmsKeyArn field, indicating that data is encrypted at rest using an Amazon Web Services owned key managed by Amazon CloudWatch.

To associate a customer managed KMS key with a dataset, use AssociateDatasetKmsKey. To remove the association, use DisassociateDatasetKmsKey.

See also: AWS API Documentation

Request Syntax

client.get_dataset(
    DatasetIdentifier='string'
)
type DatasetIdentifier:

string

param DatasetIdentifier:

[REQUIRED]

Specifies the identifier of the dataset to retrieve. For the default dataset, you can specify either default or the full dataset Amazon Resource Name (ARN) in the format arn:aws:cloudwatch:Region:account-id:dataset/default.

rtype:

dict

returns:

Response Syntax

{
    'DatasetId': 'string',
    'Arn': 'string',
    'KmsKeyArn': 'string'
}

Response Structure

  • (dict) --

    • DatasetId (string) --

      Returns the identifier of the dataset.

    • Arn (string) --

      Returns the Amazon Resource Name (ARN) of the dataset, in the format ``arn:aws:cloudwatch:Region:account-id:dataset/dataset-id ``.

    • KmsKeyArn (string) --

      Returns the Amazon Resource Name (ARN) of the customer managed Amazon Web Services KMS key that is currently associated with the dataset, if any. If the dataset is not associated with a customer managed KMS key, this field is not included in the response and the dataset is encrypted at rest using an Amazon Web Services owned key.