# Key management operations
<a name="cmk-operations"></a>

Use Quick Sight key management APIs to list and update customer managed keys (CMKs) that are registered to a Quick Sight account. For more information about key management in Quick Sight, see [Key management](https://docs.aws.amazon.com/quicksight/latest/user/key-management.html) in the Quick Sight User Guide.

**Permissons**

Before you begin, create or update an IAM role that contains a user permission to access and use all CMKs that are registered to your Quick Sight account. At minimum, the IAM policy must contain the `kms:CreateGrant`, `quicksight:UpdateKeyRegistration`, and `quicksight:DescribeKeyRegistration` permissions. To see a list of IAM policy examples that can be used to grant different degrees of access to the CMKs in a account, see [IAM identity-based policies for Amazon Quick Sight: using the admin key management console](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-admin-key-management-console).

## CMK API Examples
<a name="cmk-operations-examples"></a>

The example below lists all customer managed keys that are registered to a Quick Sight account.

```
aws quicksight describe-key-registration \
--aws-account-id AWSACCOUNTID \
--region REGION
```

The example below updates a CMK registration and designates a default key.

```
aws quicksight update-key-registration \
--aws-account-id AWSACCOUNTID \
--key-registration '[{"KeyArn": "KEYARN", "DefaultKey": true}]'
--region REGION
```

The example below updates the registration of two CMKs in a Quick Sight account and designates one of the two updated keys as the new default key.

```
aws quicksight update-key-registration \
--aws-account-id AWSACCOUNTID \
--key-registration '[{"KeyArn": "KEYARN", "DefaultKey": true}, {"KeyArn": "KEYARN", "DefaultKey": false}]'
--region REGION
```

The example below clears all CMK registrations from a Quick Sight account. Instead, Quick Sight uses AWS owned keys to encrypt your resources.

```
aws quicksight update-key-registration \
--aws-account-id AWSACCOUNTID \
--key-registration '[]'
--region REGION
```