You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/// Container for the parameters to the AssociateKmsKey operation.
33
-
/// Associates the specified KMS key with the specified log group.
33
+
/// Associates the specified KMS key with either one log group in the account, or with
34
+
/// all stored CloudWatch Logs query insights results in the account.
34
35
///
35
36
///
36
37
/// <para>
38
+
/// When you use <code>AssociateKmsKey</code>, you specify either the <code>logGroupName</code>
39
+
/// parameter or the <code>resourceIdentifier</code> parameter. You can't specify both
40
+
/// of those parameters in the same operation.
41
+
/// </para>
42
+
/// <ul> <li>
43
+
/// <para>
44
+
/// Specify the <code>logGroupName</code> parameter to cause all log events stored in
45
+
/// the log group to be encrypted with that key. Only the log events ingested after the
46
+
/// key is associated are encrypted with that key.
47
+
/// </para>
48
+
///
49
+
/// <para>
37
50
/// Associating a KMS key with a log group overrides any existing associations between
38
51
/// the log group and a KMS key. After a KMS key is associated with a log group, all newly
39
52
/// ingested data for the log group is encrypted using the KMS key. This association is
40
-
/// stored as long as the data encrypted with the KMS keyis still within CloudWatch Logs.
53
+
/// stored as long as the data encrypted with the KMS key is still within CloudWatch Logs.
41
54
/// This enables CloudWatch Logs to decrypt this data whenever it is requested.
42
55
/// </para>
43
-
/// <important>
56
+
///
57
+
/// <para>
58
+
/// Associating a key with a log group does not cause the results of queries of that log
59
+
/// group to be encrypted with that key. To have query results encrypted with a KMS key,
60
+
/// you must use an <code>AssociateKmsKey</code> operation with the <code>resourceIdentifier</code>
61
+
/// parameter that specifies a <code>query-result</code> resource.
62
+
/// </para>
63
+
/// </li> <li>
64
+
/// <para>
65
+
/// Specify the <code>resourceIdentifier</code> parameter with a <code>query-result</code>
66
+
/// resource, to use that key to encrypt the stored results of all future <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StartQuery.html">StartQuery</a>
67
+
/// operations in the account. The response from a <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetQueryResults.html">GetQueryResults</a>
68
+
/// operation will still return the query results in plain text.
69
+
/// </para>
70
+
///
71
+
/// <para>
72
+
/// Even if you have not associated a key with your query results, the query results are
73
+
/// encrypted when stored, using the default CloudWatch Logs method.
74
+
/// </para>
75
+
///
76
+
/// <para>
77
+
/// If you run a query from a monitoring account that queries logs in a source account,
78
+
/// the query results key from the monitoring account, if any, is used.
79
+
/// </para>
80
+
/// </li> </ul> <important>
81
+
/// <para>
82
+
/// If you delete the key that is used to encrypt log events or log group query results,
83
+
/// then all the associated stored log events or query results that were encrypted with
84
+
/// that key will be unencryptable and unusable.
85
+
/// </para>
86
+
/// </important> <note>
44
87
/// <para>
45
88
/// CloudWatch Logs supports only symmetric KMS keys. Do not use an associate an asymmetric
46
-
/// KMS key with your log group. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using
89
+
/// KMS key with your log group or query results. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using
47
90
/// Symmetric and Asymmetric Keys</a>.
48
91
/// </para>
49
-
/// </important>
92
+
/// </note>
50
93
/// <para>
51
94
/// It can take up to 5 minutes for this operation to take effect.
52
95
/// </para>
@@ -61,6 +104,7 @@ public partial class AssociateKmsKeyRequest : AmazonCloudWatchLogsRequest
61
104
{
62
105
privatestring_kmsKeyId;
63
106
privatestring_logGroupName;
107
+
privatestring_resourceIdentifier;
64
108
65
109
/// <summary>
66
110
/// Gets and sets the property KmsKeyId.
@@ -89,8 +133,13 @@ internal bool IsSetKmsKeyId()
89
133
/// <para>
90
134
/// The name of the log group.
91
135
/// </para>
136
+
///
137
+
/// <para>
138
+
/// In your <code>AssociateKmsKey</code> operation, you must specify either the <code>resourceIdentifier</code>
139
+
/// parameter or the <code>logGroup</code> parameter, but you can't specify both.
/// Gets and sets the property ResourceIdentifier.
157
+
/// <para>
158
+
/// Specifies the target for this operation. You must specify one of the following:
159
+
/// </para>
160
+
/// <ul> <li>
161
+
/// <para>
162
+
/// Specify the following ARN to have future <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetQueryResults.html">GetQueryResults</a>
163
+
/// operations in this account encrypt the results with the specified KMS key. Replace
164
+
/// <i>REGION</i> and <i>ACCOUNT_ID</i> with your Region and account ID.
/// Container for the parameters to the DisassociateKmsKey operation.
33
-
/// Disassociates the associated KMS key from the specified log group.
33
+
/// Disassociates the specified KMS key from the specified log group or from all CloudWatch
34
+
/// Logs Insights query results in the account.
34
35
///
35
36
///
36
37
/// <para>
37
-
/// After the KMS key is disassociated from the log group, CloudWatch Logs stops encrypting
38
-
/// newly ingested data for the log group. All previously ingested data remains encrypted,
39
-
/// and CloudWatch Logs requires permissions for the KMS key whenever the encrypted data
40
-
/// is requested.
38
+
/// When you use <code>DisassociateKmsKey</code>, you specify either the <code>logGroupName</code>
39
+
/// parameter or the <code>resourceIdentifier</code> parameter. You can't specify both
40
+
/// of those parameters in the same operation.
41
41
/// </para>
42
-
///
42
+
/// <ul> <li>
43
+
/// <para>
44
+
/// Specify the <code>logGroupName</code> parameter to stop using the KMS key to encrypt
45
+
/// future log events ingested and stored in the log group. Instead, they will be encrypted
46
+
/// with the default CloudWatch Logs method. The log events that were ingested while the
47
+
/// key was associated with the log group are still encrypted with that key. Therefore,
48
+
/// CloudWatch Logs will need permissions for the key whenever that data is accessed.
49
+
/// </para>
50
+
/// </li> <li>
43
51
/// <para>
44
-
/// Note that it can take up to 5 minutes for this operation to take effect.
52
+
/// Specify the <code>resourceIdentifier</code> parameter with the <code>query-result</code>
53
+
/// resource to stop using the KMS key to encrypt the results of all future <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StartQuery.html">StartQuery</a>
54
+
/// operations in the account. They will instead be encrypted with the default CloudWatch
55
+
/// Logs method. The results from queries that ran while the key was associated with the
56
+
/// account are still encrypted with that key. Therefore, CloudWatch Logs will need permissions
57
+
/// for the key whenever that data is accessed.
58
+
/// </para>
59
+
/// </li> </ul>
60
+
/// <para>
61
+
/// It can take up to 5 minutes for this operation to take effect.
0 commit comments