KeyProps¶
-
class
aws_cdk.aws_kms.
KeyProps
(*, admins=None, alias=None, description=None, enabled=None, enable_key_rotation=None, pending_window=None, policy=None, removal_policy=None, trust_account_identities=None)¶ Bases:
object
Construction properties for a KMS Key object.
- Parameters
admins (
Optional
[List
[IPrincipal
]]) – A list of principals to add as key administrators to the key policy. Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt). These principals will be added to the default key policy (if none specified), or to the specified policy (if provided). Default: []alias (
Optional
[str
]) – Initial alias to add to the key. More aliases can be added later by callingaddAlias
. Default: - No alias is added for the key.description (
Optional
[str
]) – A description of the key. Use a description that helps your users decide whether the key is appropriate for a particular task. Default: - No description.enabled (
Optional
[bool
]) – Indicates whether the key is available for use. Default: - Key is enabled.enable_key_rotation (
Optional
[bool
]) – Indicates whether AWS KMS rotates the key. Default: falsepending_window (
Optional
[Duration
]) – Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack. When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK. Enter a value between 7 and 30 days. Default: - 30 dayspolicy (
Optional
[PolicyDocument
]) – Custom policy document to attach to the KMS key. NOTE - If the ‘@aws-cdk/aws-kms:defaultKeyPolicies’ feature flag is set (the default for new projects), this policy will override the default key policy and become the only key policy for the key. If the feature flag is not set, this policy will be appended to the default key policy. Default: - A policy document with permissions for the account root to administer the key will be created.removal_policy (
Optional
[RemovalPolicy
]) – Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to retain access to data that was encrypted with a key that is being retired. Default: RemovalPolicy.Retaintrust_account_identities (
Optional
[bool
]) – (deprecated) Whether the key usage can be granted by IAM policies. Setting this to true adds a default statement which delegates key access control completely to the identity’s IAM policy (similar to how it works for other AWS resources). This matches the default behavior when creating KMS keys via the API or console. If the ‘@aws-cdk/aws-kms:defaultKeyPolicies’ feature flag is set (the default for new projects), this flag will always be treated as ‘true’ and does not need to be explicitly set. Default: - false, unless the ‘
Attributes
-
admins
¶ A list of principals to add as key administrators to the key policy.
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
These principals will be added to the default key policy (if none specified), or to the specified policy (if provided).
- Default
[]
- Return type
Optional
[List
[IPrincipal
]]
-
alias
¶ Initial alias to add to the key.
More aliases can be added later by calling
addAlias
.- Default
No alias is added for the key.
- Return type
Optional
[str
]
-
description
¶ A description of the key.
Use a description that helps your users decide whether the key is appropriate for a particular task.
- Default
No description.
- Return type
Optional
[str
]
-
enable_key_rotation
¶ Indicates whether AWS KMS rotates the key.
- Default
false
- Return type
Optional
[bool
]
-
enabled
¶ Indicates whether the key is available for use.
- Default
Key is enabled.
- Return type
Optional
[bool
]
-
pending_window
¶ Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack.
When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK.
Enter a value between 7 and 30 days.
- Default
30 days
- See
- Return type
Optional
[Duration
]
-
policy
¶ Custom policy document to attach to the KMS key.
NOTE - If the ‘@aws-cdk/aws-kms:defaultKeyPolicies’ feature flag is set (the default for new projects), this policy will override the default key policy and become the only key policy for the key. If the feature flag is not set, this policy will be appended to the default key policy.
- Default
A policy document with permissions for the account root to
administer the key will be created.
- Return type
Optional
[PolicyDocument
]
-
removal_policy
¶ Whether the encryption key should be retained when it is removed from the Stack.
This is useful when one wants to retain access to data that was encrypted with a key that is being retired.
- Default
RemovalPolicy.Retain
- Return type
Optional
[RemovalPolicy
]
-
trust_account_identities
¶ (deprecated) Whether the key usage can be granted by IAM policies.
Setting this to true adds a default statement which delegates key access control completely to the identity’s IAM policy (similar to how it works for other AWS resources). This matches the default behavior when creating KMS keys via the API or console.
If the ‘@aws-cdk/aws-kms:defaultKeyPolicies’ feature flag is set (the default for new projects), this flag will always be treated as ‘true’ and does not need to be explicitly set.
- Default
false, unless the ‘
- Deprecated
redundant with the ‘
- See
- Stability
deprecated
- Aws-cdk
/aws-kms:defaultKeyPolicies’ feature flag
- Return type
Optional
[bool
]