• 14 May 2025

Encryption of Data in Amazon QuickSight | SPICE, SSL & AWS KMS Security Explained

Understanding How Amazon QuickSight Encrypts Data at Rest and in Transit

Amazon QuickSight protects sensitive information through multiple encryption layers throughout its infrastructure. This includes encryption of data during transfer and at rest within the SPICE engine, secured by Amazon's security framework and AWS Key Management Service (KMS).

QuickSight encrypts data in transit and at rest using SSL, SPICE, and AWS Key Management Service (KMS), with optional support for Customer Master Key (CMK).
encryption-of-data-in-amazon-quicksight
  • Share Post:
  • LinkedIn Icon

1. Encryption During Data Transfers

All communication between data sources, Amazon QuickSight, SPICE, and the user interface is protected using Secure Socket Layer (SSL). SSL ensures that data in transit remains confidential and intact. You can configure SSL requirements when connecting QuickSight to external data sources. If encryption is not required, this option can be disabled based on security posture.

2. Encryption Within SPICE (Data at Rest)

Data imported into SPICE (Super-fast, Parallel, In-memory Calculation Engine) is encrypted at rest using keys managed by AWS Key Management Service (KMS). This secures stored dashboards, datasets, and analyses from unauthorized access. AWS automatically handles key rotation and storage security through KMS-managed keys unless customer-managed keys (CMKs) are specified.

3. Key Management Responsibilities

  • By default, AWS manages encryption keys for QuickSight.
  • If your environment uses self-signed or custom certificates, you are responsible for ensuring that a trusted Certificate Authority issues them.
  • Customers who require greater control can implement customer-managed KMS keys to comply with internal or regulatory encryption policies.

4. Data Visibility Controls QuickSight handles user metadata securely

  • Admins can only view usernames and email addresses.
  • Passwords remain private, encrypted, and inaccessible—even to administrators.

5. Recommendations for Security Best Practices

  • Consistently apply SSL for data source connections.
  • Implement customer-managed KMS keys when compliance or internal policy requires key control.
  • Regularly audit IAM policies to limit access to unnecessary data and resources.

About DataTerrain has supported over 300 U.S.-based clients with business intelligence tools, including Amazon QuickSight. Our flexible model offers scalable, expert-led engagements with no long-term commitments.