Is it possible to use S3 SSE or another type of SSE with the start-dashboard-snapshot-job AWS CLI call for quicksight? What about for the similar StartDashboardSnapshotJob function from the AWS Quicksight API or the start_dashboard_snapshot_job from Boto3?
If this is not available, I would like this to be put in as a feature request. Ideally, I would like the files that are created during the snapshot jobs to be encrypted immediately as they arrive in S3 with my choice of encryption protocol (e.g. SSE-S3, SSE-C, SSE-KMS, DSSE-KMS).
Hi @dmonismith Thanks for posting your question. I am pinging one of our SAs to make sure your question gets a reply on Monday if we don’t hear back from the community before then. Thx!
What Duncan meant is the following. If you set any form of encryption on the S3 bucket, the report created trough QuickSight will be immediately encrypted. How it is encrypted depends on your choice of encryption protocol. If none is selected, the default is SSE-S3. So even if you don’t set anything the reports will be encrypted. I hope this is more clear to you.
Please let me know if this is an answer to your question.
Thank you for the information and the quick response. I’ve found what the issue on my side is. I have a policy in place similar to the one listed below. This type of policy conflicts with the start-dashboard-snapshot-job QuickSight AWS CLI call, and causes it to fail. As you mentioned, if the default S3 bucket policy is set to perform SSE, the snapshot job will do that by default, but it looks like the snapshot job does not include the encryption headers (i.e. s3:x-amz-server-side-encryption) in the request. I’ve tried temporarily removing a policy like the one below (in a dev environment) and running start-dashboard-snapshot-job, and the output file (i.e. the report) does indeed get encrypted and placed into S3 with the policy removed, but the encryption headers are not in the PUT request.