software.amazon.awscdk.services.kms

Class Key.Builder

java.lang.Object

software.amazon.awscdk.services.kms.Key.Builder

Enclosing class:

Key

public static final class Key.Builder
extends java.lang.Object

A fluent builder for Key.

Method Summary

Modifier and Type	Method and Description
Key.Builder	admins(java.util.List<? extends IPrincipal> admins) A list of principals to add as key administrators to the key policy.
Key.Builder	alias(java.lang.String alias) Initial alias to add to the key.
Key	build()
static Key.Builder	create(software.constructs.Construct scope, java.lang.String id)
Key.Builder	description(java.lang.String description) A description of the key.
Key.Builder	enabled(java.lang.Boolean enabled) Indicates whether the key is available for use.
Key.Builder	enableKeyRotation(java.lang.Boolean enableKeyRotation) Indicates whether AWS KMS rotates the key.
Key.Builder	keySpec(KeySpec keySpec) The cryptographic configuration of the key.
Key.Builder	keyUsage(KeyUsage keyUsage) The cryptographic operations for which the key can be used.
Key.Builder	pendingWindow(Duration pendingWindow) Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack.
Key.Builder	policy(PolicyDocument policy) Custom policy document to attach to the KMS key.
Key.Builder	removalPolicy(RemovalPolicy removalPolicy) Whether the encryption key should be retained when it is removed from the Stack.
Key.Builder	trustAccountIdentities(java.lang.Boolean trustAccountIdentities) Deprecated. redundant with the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

create

public static Key.Builder create(software.constructs.Construct scope,
                                 java.lang.String id)

Parameters:

scope - This parameter is required.

id - This parameter is required.

Returns:

a new instance of Key.Builder.

admins

public Key.Builder admins(java.util.List<? extends IPrincipal> admins)

A list of principals to add as key administrators to the key policy.

Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).

These principals will be added to the default key policy (if none specified), or to the specified policy (if provided).

Default: []

Parameters:

admins - A list of principals to add as key administrators to the key policy. This parameter is required.

Returns:

this

alias

public Key.Builder alias(java.lang.String alias)

Initial alias to add to the key.

More aliases can be added later by calling addAlias.

Default: - No alias is added for the key.

Parameters:

alias - Initial alias to add to the key. This parameter is required.

Returns:

this

description

public Key.Builder description(java.lang.String description)

A description of the key.

Use a description that helps your users decide whether the key is appropriate for a particular task.

Default: - No description.

Parameters:

description - A description of the key. This parameter is required.

Returns:

this

enabled

public Key.Builder enabled(java.lang.Boolean enabled)

Indicates whether the key is available for use.

Default: - Key is enabled.

Parameters:

enabled - Indicates whether the key is available for use. This parameter is required.

Returns:

this

enableKeyRotation

public Key.Builder enableKeyRotation(java.lang.Boolean enableKeyRotation)

Indicates whether AWS KMS rotates the key.

Default: false

Parameters:

enableKeyRotation - Indicates whether AWS KMS rotates the key. This parameter is required.

Returns:

this

keySpec

public Key.Builder keySpec(KeySpec keySpec)

The cryptographic configuration of the key. The valid value depends on usage of the key.

IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value.

Default: KeySpec.SYMMETRIC_DEFAULT

Parameters:

keySpec - The cryptographic configuration of the key. The valid value depends on usage of the key. This parameter is required.

Returns:

this

keyUsage

public Key.Builder keyUsage(KeyUsage keyUsage)

The cryptographic operations for which the key can be used.

IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value.

Default: KeyUsage.ENCRYPT_DECRYPT

Parameters:

keyUsage - The cryptographic operations for which the key can be used. This parameter is required.

Returns:

this

pendingWindow

public Key.Builder pendingWindow(Duration pendingWindow)

Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack.

When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK.

Enter a value between 7 and 30 days.

Default: - 30 days

Parameters:

pendingWindow - Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack. This parameter is required.

Returns:

this

See Also:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-pendingwindowindays

policy

public Key.Builder policy(PolicyDocument policy)

Custom policy document to attach to the KMS key.

NOTE - If the @aws-cdk/aws-kms:defaultKeyPolicies feature flag is set (the default for new projects), this policy will override the default key policy and become the only key policy for the key. If the feature flag is not set, this policy will be appended to the default key policy.

Default: - A policy document with permissions for the account root to administer the key will be created.

Parameters:

policy - Custom policy document to attach to the KMS key. This parameter is required.

Returns:

this

removalPolicy

public Key.Builder removalPolicy(RemovalPolicy removalPolicy)

Whether the encryption key should be retained when it is removed from the Stack.

This is useful when one wants to retain access to data that was encrypted with a key that is being retired.

Default: RemovalPolicy.Retain

Parameters:

removalPolicy - Whether the encryption key should be retained when it is removed from the Stack. This parameter is required.

Returns:

this

trustAccountIdentities

@Deprecated
public Key.Builder trustAccountIdentities(java.lang.Boolean trustAccountIdentities)

Deprecated. redundant with the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag

(deprecated) Whether the key usage can be granted by IAM policies.

Setting this to true adds a default statement which delegates key access control completely to the identity's IAM policy (similar to how it works for other AWS resources). This matches the default behavior when creating KMS keys via the API or console.

If the @aws-cdk/aws-kms:defaultKeyPolicies feature flag is set (the default for new projects), this flag will always be treated as 'true' and does not need to be explicitly set.

Default: - false, unless the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set.

Parameters:

trustAccountIdentities - Whether the key usage can be granted by IAM policies. This parameter is required.

Returns:

this

See Also:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam

build

public Key build()