Updates the encryption configuration of a Logstore. You can create encryption configurations for the Logstore and enable or disable the encryption feature.
Operation description
Limits
If you specify a data encryption method when you configure data encryption settings, you cannot switch to the other method after the configuration. In addition, you cannot change the encryption algorithm or the encryption type. You can only enable or disable the encryption feature by using the enable parameter. If you specify the encryption method by using the service key of Simple Log Service when you configure data encryption settings, you cannot switch to the encryption method by using Bring Your Own Key (BYOK) keys after the configuration.
Create encryption configurations
Encryption by using service keys
Simple Log Service is fully responsible for data encryption and key management. No additional operations are required. When you create encryption configurations for the Logstore, you must specify the enable and encryptType parameters.
Encryption by using BYOK keys
You must create a customer master key (CMK) in Key Management Service (KMS). Then, Simple Log Service encrypts logs by using the CMK. When you create encryption configurations for the Logstore, you must specify the enable, encryptType, and userCmkInfo parameters.
Enable or disable the encryption feature
After you create encryption configurations for the Logstore, you cannot modify the encryptType or userCmkInfo parameters. However, you can enable and disable the encryption feature by using the enable parameter.
Debugging
Authorization information
Request syntax
PUT /logstores/{logstore}/encryption HTTP/1.1
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
project | string | Yes | The Simple Log Service project. | test-project |
logstore | string | Yes | The Logstore. | test-logstore |
body | object | No | The request struct. | |
enable | boolean | Yes | Specifies whether to enable the encryption feature. After you update the encryption configuration of the Logstore, you can modify only the enable parameter in subsequent update requests. You cannot modify the encryptType or userCmkInfo parameters. | true |
encryptType | string | No | The encryption algorithm. Valid values: default, m4, sm4_ecb, sm4_cbc, sm4_gcm, aes_ecb, aes_cbc, aes_cfb, aes_ofb, and aes_gcm. | default |
userCmkInfo | object | No | Optional. If you use a BYOK key to encrypt logs, you must specify this parameter. If you use the service key of Simple Log Service to encrypt logs, you do not need to specify this parameter. | |
keyId | string | No | The ID of the CMK to which the BYOK key belongs. You can create a CMK in KMS. The CMK must be in the same region as the endpoint of Simple Log Service. | f5136b95-2420-ab31-xxxxxxxxx |
roleArn | string | No | The Alibaba Cloud Resource Name (ARN) of the Resource Access Management (RAM) role.The value is in the acs:ram::12344***:role/xxxxx format. To use a BYOK key to encrypt logs, you must create a RAM role and grant the AliyunKMSReadOnlyAccess and AliyunKMSCryptoUserAccess permissions to the RAM role. You must grant the API caller the PassRole permission on the RAM role. | acs:ram::12344***:role/xxxxx |
regionId | string | No | The region ID. Example: cn-hangzhou. | cn-hangzhou |
Response parameters
Examples
Sample success responses
JSON
format
{}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
404 | ProjectNotExist | The Project does not exist: xxxx. | The log entry does not exist. |
404 | LogStoreNotExist | logstore xxxx does not exist. | The Logstore does not exist. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-11-13 | Add Operation | View Change Details |