KeyProps

class aws_cdk.aws_kms.KeyProps(*, alias=None, description=None, enabled=None, enable_key_rotation=None, policy=None, removal_policy=None, trust_account_identities=None)

Bases: object

__init__(*, alias=None, description=None, enabled=None, enable_key_rotation=None, policy=None, removal_policy=None, trust_account_identities=None)

Construction properties for a KMS Key object.

Parameters
  • alias (Optional[str]) – Initial alias to add to the key. More aliases can be added later by calling addAlias. Default: - No alias is added for the key.

  • description (Optional[str]) – A description of the key. Use a description that helps your users decide whether the key is appropriate for a particular task. Default: - No description.

  • enabled (Optional[bool]) – Indicates whether the key is available for use. Default: - Key is enabled.

  • enable_key_rotation (Optional[bool]) – Indicates whether AWS KMS rotates the key. Default: false

  • policy (Optional[PolicyDocument]) – Custom policy document to attach to the KMS key. Default: - A policy document with permissions for the account root to administer the key will be created.

  • removal_policy (Optional[RemovalPolicy]) – Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to retain access to data that was encrypted with a key that is being retired. Default: RemovalPolicy.Retain

  • trust_account_identities (Optional[bool]) – Whether the key usage can be granted by IAM policies. Setting this to true adds a default statement which delegates key access control completely to the identity’s IAM policy (similar to how it works for other AWS resources). Default: false

Attributes

alias

Initial alias to add to the key.

More aliases can be added later by calling addAlias.

default :default: - No alias is added for the key.

Return type

Optional[str]

description

A description of the key.

Use a description that helps your users decide whether the key is appropriate for a particular task.

default :default: - No description.

Return type

Optional[str]

enable_key_rotation

Indicates whether AWS KMS rotates the key.

default :default: false

Return type

Optional[bool]

enabled

Indicates whether the key is available for use.

default :default: - Key is enabled.

Return type

Optional[bool]

policy

Custom policy document to attach to the KMS key.

default :default:

  • A policy document with permissions for the account root to administer the key will be created.

Return type

Optional[PolicyDocument]

removal_policy

Whether the encryption key should be retained when it is removed from the Stack.

This is useful when one wants to retain access to data that was encrypted with a key that is being retired.

default :default: RemovalPolicy.Retain

Return type

Optional[RemovalPolicy]

trust_account_identities

Whether the key usage can be granted by IAM policies.

Setting this to true adds a default statement which delegates key access control completely to the identity’s IAM policy (similar to how it works for other AWS resources).

default :default: false

see :see: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam

Return type

Optional[bool]