[ aws . xray ]



Updates the encryption configuration for X-Ray data.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.


[--key-id <value>]
--type <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]


--key-id (string)

An Amazon Web Services KMS key in one of the following formats:

  • Alias - The name of the key. For example, alias/MyKey .

  • Key ID - The KMS key ID of the key. For example, ae4aa6d49-a4d8-9df9-a475-4ff6d7898456 . Amazon Web Services X-Ray does not support asymmetric KMS keys.

  • ARN - The full Amazon Resource Name of the key ID or alias. For example, arn:aws:kms:us-east-2:123456789012:key/ae4aa6d49-a4d8-9df9-a475-4ff6d7898456 . Use this format to specify a key in a different account.

Omit this key if you set Type to NONE .

--type (string)

The type of encryption. Set to KMS to use your own key for encryption. Set to NONE for default encryption.

Possible values:

  • NONE

  • KMS

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.


To update the encryption configuration

The following put-encryption-config``example updates the encryption configuration for AWS X-Ray data to use the default AWS managed KMS key ``aws/xray.

aws xray put-encryption-config \
    --type KMS \
    --key-id alias/aws/xray


    "EncryptionConfig": {
        "KeyId": "arn:aws:kms:us-west-2:123456789012:key/c234g4e8-39e9-4gb0-84e2-b0ea215cbba5",
        "Status": "UPDATING",
        "Type": "KMS"

For more information, see Configuring Sampling, Groups, and Encryption Settings with the AWS X-Ray API in the AWS X-Ray Developer Guide.


EncryptionConfig -> (structure)

The new encryption configuration.

KeyId -> (string)

The ID of the KMS key used for encryption, if applicable.

Status -> (string)

The encryption status. While the status is UPDATING , X-Ray may encrypt data with a combination of the new and old settings.

Type -> (string)

The type of encryption. Set to KMS for encryption with KMS keys. Set to NONE for default encryption.