CloudWatchLogs / Client / associate_kms_key

associate_kms_key#

CloudWatchLogs.Client.associate_kms_key(**kwargs)#

Associates the specified KMS key with the specified log group.

Associating a KMS key with a log group overrides any existing associations between the log group and a KMS key. After a KMS key is associated with a log group, all newly ingested data for the log group is encrypted using the KMS key. This association is stored as long as the data encrypted with the KMS keyis still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.

Warning

CloudWatch Logs supports only symmetric KMS keys. Do not use an associate an asymmetric KMS key with your log group. For more information, see Using Symmetric and Asymmetric Keys.

It can take up to 5 minutes for this operation to take effect.

If you attempt to associate a KMS key with a log group but the KMS key does not exist or the KMS key is disabled, you receive an InvalidParameterException error.

See also: AWS API Documentation

Request Syntax

response = client.associate_kms_key(
    logGroupName='string',
    kmsKeyId='string'
)
Parameters:
  • logGroupName (string) –

    [REQUIRED]

    The name of the log group.

  • kmsKeyId (string) –

    [REQUIRED]

    The Amazon Resource Name (ARN) of the KMS key to use when encrypting log data. This must be a symmetric KMS key. For more information, see Amazon Resource Names and Using Symmetric and Asymmetric Keys.

Returns:

None

Exceptions

  • CloudWatchLogs.Client.exceptions.InvalidParameterException

  • CloudWatchLogs.Client.exceptions.ResourceNotFoundException

  • CloudWatchLogs.Client.exceptions.OperationAbortedException

  • CloudWatchLogs.Client.exceptions.ServiceUnavailableException