S3 SSL Policy and KMS Rotation in Tableau Cloud Activity Log

Publish Date: May 29, 2026

Description

This article provides information regarding the compatibility of Tableau Cloud Activity Log delivery with specific AWS S3 security configurations, such as SSL-only bucket policies and automatic Key Management Service (KMS) key rotation. Customers often inquire if these AWS best practices impact the delivery of logs from Tableau Cloud to their S3 buckets.

Resolution

SSL-Only Bucket Policy

The SSL-only statement in a bucket policy is fully supported and recommended. Tableau Activity Log delivery utilizes HTTPS by default for all data transfers. Implementing a "Deny" policy for non-secure transport will not impact log delivery. In fact, this is a security best practice that we encourage all customers to implement.

Example Policy Snippet:

{
    "Sid": "AllowSSLRequestsOnly",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::<BUCKET_NAME>",
        "arn:aws:s3:::<BUCKET_NAME>/*"
    ],
    "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}

Automatic KMS Key Rotation

AWS KMS automatic key rotation is fully supported. When this feature is enabled, AWS rotates the backing key material while maintaining the same Key ARN. Since the ARN remains constant, Tableau Cloud can continue to deliver logs seamlessly without requiring any configuration changes or manual updates.

Knowledge Article Number

005385572

Did this article solve your issue?

Let us know so we can improve!

S3 SSL Policy and KMS Rotation in Tableau Cloud Activity Log

SSL-Only Bucket Policy

Automatic KMS Key Rotation

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List