Class CfnKey
The AWS::KMS::Key
resource specifies an KMS key in AWS Key Management Service . You can use this resource to create symmetric encryption KMS keys, asymmetric KMS keys for encryption or signing, and symmetric HMAC KMS keys. You can use AWS::KMS::Key
to create multi-Region primary keys of all supported types. To replicate a multi-Region key, use the AWS::KMS::ReplicaKey
resource.
Inherited Members
Namespace: Amazon.CDK.AWS.KMS
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class CfnKey : CfnResource, IInspectable, ITaggable
Syntax (vb)
Public Class CfnKey
Inherits CfnResource
Implements IInspectable, ITaggable
Remarks
If you change the value of the KeySpec
, KeyUsage
, Origin
, or MultiRegion
properties of an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy
attribute . This prevents you from accidentally deleting a KMS key by changing any of its immutable property values. > AWS KMS replaced the term customer master key (CMK) with AWS KMS key and KMS key . The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.
You can use symmetric encryption KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use a symmetric encryption KMS key to encrypt data stored in AWS services that are integrated with AWS KMS . For more information, see Symmetric encryption KMS keys in the AWS Key Management Service Developer Guide .
You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric KeySpec
value and a KeyUsage
value. For details, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide .
You can use HMAC KMS keys (which are also symmetric keys) to generate and verify hash-based message authentication codes. To create an HMAC key, you must specify an HMAC KeySpec
value and a KeyUsage
value of GENERATE_VERIFY_MAC
. For details, see HMAC keys in AWS KMS in the AWS Key Management Service Developer Guide .
You can also create symmetric encryption, asymmetric, and HMAC multi-Region primary keys. To create a multi-Region primary key, set the MultiRegion
property to true
. For information about multi-Region keys, see Multi-Region keys in AWS KMS in the AWS Key Management Service Developer Guide .
You cannot use the AWS::KMS::Key
resource to specify a KMS key with imported key material or a KMS key in a custom key store .
Regions
AWS KMS CloudFormation resources are available in all Regions in which AWS KMS and AWS CloudFormation are supported. You can use the AWS::KMS::Key
resource to create and manage all KMS key types that are supported in a Region.
See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
CloudformationResource: AWS::KMS::Key
ExampleMetadata: infused
Examples
CfnInclude cfnTemplate;
var cfnKey = (CfnKey)cfnTemplate.GetResource("Key");
var key = Key.FromCfnKey(cfnKey);
Synopsis
Constructors
CfnKey(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
CfnKey(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
CfnKey(Construct, String, ICfnKeyProps) |
Properties
AttrArn | The Amazon Resource Name (ARN) of the KMS key, such as |
AttrKeyId | The key ID of the KMS key, such as |
BypassPolicyLockoutSafetyCheck | Skips ("bypasses") the key policy lockout safety check. |
CFN_RESOURCE_TYPE_NAME | The CloudFormation resource type name for this resource class. |
CfnProperties | |
Description | A description of the KMS key. |
Enabled | Specifies whether the KMS key is enabled. |
EnableKeyRotation | Enables automatic rotation of the key material for the specified KMS key. |
KeyPolicy | The key policy to attach to the KMS key. |
KeySpec | Specifies the type of KMS key to create. |
KeyUsage | Determines the cryptographic operations for which you can use the KMS key. The default value is |
MultiRegion | Creates a multi-Region primary key that you can replicate in other AWS Regions . |
Origin | The source of the key material for the KMS key. |
PendingWindowInDays | Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. |
Tags | Tag Manager which manages the tags for this resource. |
TagsRaw | Assigns one or more tags to the replica key. |
Methods
Inspect(TreeInspector) | Examines the CloudFormation resource and discloses attributes. |
RenderProperties(IDictionary<String, Object>) |
Constructors
CfnKey(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected CfnKey(ByRefValue reference)
Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
CfnKey(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected CfnKey(DeputyBase.DeputyProps props)
Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
CfnKey(Construct, String, ICfnKeyProps)
public CfnKey(Construct scope, string id, ICfnKeyProps props = null)
Parameters
- scope Constructs.Construct
Scope in which this resource is defined.
- id System.String
Construct identifier for this resource (unique in its scope).
- props ICfnKeyProps
Resource properties.
Properties
AttrArn
The Amazon Resource Name (ARN) of the KMS key, such as arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
.
public virtual string AttrArn { get; }
Property Value
System.String
Remarks
For information about the key ARN of a KMS key, see Key ARN in the AWS Key Management Service Developer Guide .
CloudformationAttribute: Arn
AttrKeyId
The key ID of the KMS key, such as 1234abcd-12ab-34cd-56ef-1234567890ab
.
public virtual string AttrKeyId { get; }
Property Value
System.String
Remarks
For information about the key ID of a KMS key, see Key ID in the AWS Key Management Service Developer Guide .
CloudformationAttribute: KeyId
BypassPolicyLockoutSafetyCheck
Skips ("bypasses") the key policy lockout safety check.
public virtual object BypassPolicyLockoutSafetyCheck { get; set; }
Property Value
System.Object
Remarks
The default value is false.
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
public static string CFN_RESOURCE_TYPE_NAME { get; }
Property Value
System.String
CfnProperties
protected override IDictionary<string, object> CfnProperties { get; }
Property Value
System.Collections.Generic.IDictionary<System.String, System.Object>
Overrides
Description
A description of the KMS key.
public virtual string Description { get; set; }
Property Value
System.String
Enabled
Specifies whether the KMS key is enabled.
public virtual object Enabled { get; set; }
Property Value
System.Object
Remarks
Disabled KMS keys cannot be used in cryptographic operations.
EnableKeyRotation
Enables automatic rotation of the key material for the specified KMS key.
public virtual object EnableKeyRotation { get; set; }
Property Value
System.Object
KeyPolicy
The key policy to attach to the KMS key.
public virtual object KeyPolicy { get; set; }
Property Value
System.Object
KeySpec
Specifies the type of KMS key to create.
public virtual string KeySpec { get; set; }
Property Value
System.String
KeyUsage
Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT
. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage
value after the KMS key is created.
public virtual string KeyUsage { get; set; }
Property Value
System.String
MultiRegion
Creates a multi-Region primary key that you can replicate in other AWS Regions .
public virtual object MultiRegion { get; set; }
Property Value
System.Object
Origin
The source of the key material for the KMS key.
public virtual string Origin { get; set; }
Property Value
System.String
PendingWindowInDays
Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack.
public virtual Nullable<double> PendingWindowInDays { get; set; }
Property Value
System.Nullable<System.Double>
Tags
Tag Manager which manages the tags for this resource.
public virtual TagManager Tags { get; }
Property Value
TagsRaw
Assigns one or more tags to the replica key.
public virtual ICfnTag[] TagsRaw { get; set; }
Property Value
ICfnTag[]
Methods
Inspect(TreeInspector)
Examines the CloudFormation resource and discloses attributes.
public virtual void Inspect(TreeInspector inspector)
Parameters
- inspector TreeInspector
tree inspector to collect and process attributes.
RenderProperties(IDictionary<String, Object>)
protected override IDictionary<string, object> RenderProperties(IDictionary<string, object> props)
Parameters
- props System.Collections.Generic.IDictionary<System.String, System.Object>
Returns
System.Collections.Generic.IDictionary<System.String, System.Object>