disassociateKmsKey method
Disassociates the specified KMS key from the specified log group or from all CloudWatch Logs Insights query results in the account.
When you use DisassociateKmsKey, you specify either the
logGroupName parameter or the resourceIdentifier
parameter. You can't specify both of those parameters in the same
operation.
-
Specify the
logGroupNameparameter to stop using the KMS key to encrypt future log events ingested and stored in the log group. Instead, they will be encrypted with the default CloudWatch Logs method. The log events that were ingested while the key was associated with the log group are still encrypted with that key. Therefore, CloudWatch Logs will need permissions for the key whenever that data is accessed. -
Specify the
resourceIdentifierparameter with thequery-resultresource to stop using the KMS key to encrypt the results of all future StartQuery operations in the account. They will instead be encrypted with the default CloudWatch Logs method. The results from queries that ran while the key was associated with the account are still encrypted with that key. Therefore, CloudWatch Logs will need permissions for the key whenever that data is accessed.
May throw InvalidParameterException.
May throw OperationAbortedException.
May throw ResourceNotFoundException.
May throw ServiceUnavailableException.
Parameter logGroupName :
The name of the log group.
In your DisassociateKmsKey operation, you must specify either
the resourceIdentifier parameter or the logGroup
parameter, but you can't specify both.
Parameter resourceIdentifier :
Specifies the target for this operation. You must specify one of the
following:
-
Specify the ARN of a log group to stop having CloudWatch Logs use the KMS
key to encrypt log events that are ingested and stored by that log group.
After you run this operation, CloudWatch Logs encrypts ingested log events
with the default CloudWatch Logs method. The log group ARN must be in the
following format. Replace REGION and ACCOUNT_ID with your
Region and account ID.
arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME -
Specify the following ARN to stop using this key to encrypt the results of
future StartQuery
operations in this account. Replace REGION and ACCOUNT_ID
with your Region and account ID.
arn:aws:logs:REGION:ACCOUNT_ID:query-result:*
DisssociateKmsKey operation, you must specify either
the resourceIdentifier parameter or the logGroup
parameter, but you can't specify both.
Implementation
Future<void> disassociateKmsKey({
String? logGroupName,
String? resourceIdentifier,
}) async {
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Target': 'Logs_20140328.DisassociateKmsKey'
};
await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
if (logGroupName != null) 'logGroupName': logGroupName,
if (resourceIdentifier != null)
'resourceIdentifier': resourceIdentifier,
},
);
}