Package software.amazon.awscdk.services.kms

Class CfnReplicaKey

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.kms.CfnReplicaKey
All Implemented Interfaces:
IInspectable, ITaggable, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.101.0 (build b95fe5d)", date="2024-08-02T00:29:12.778Z") @Stability(Stable) public class CfnReplicaKey extends CfnResource implements IInspectable, ITaggable
The AWS::KMS::ReplicaKey resource specifies a multi-Region replica key that is based on a multi-Region primary key.

Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the AWS Key Management Service Developer Guide .

A multi-Region primary key is a fully functional symmetric encryption KMS key, HMAC KMS key, or asymmetric KMS key that is also the model for replica keys in other AWS Regions . To create a multi-Region primary key, add an AWS::KMS::Key resource to your CloudFormation stack. Set its MultiRegion property to true.

A multi-Region replica key is a fully functional KMS key that has the same key ID and key material as a multi-Region primary key, but is located in a different AWS Region of the same AWS partition. There can be multiple replicas of a primary key, but each must be in a different AWS Region .

When you create a replica key in AWS CloudFormation , the replica key is created in the AWS Region represented by the endpoint you use for the request. If you try to replicate a multi-Region key into a Region in which the key type is not supported, the request will fail.

A primary key and its replicas have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. These properties are known as shared properties . If they change, AWS KMS synchronizes the change to all related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and key state. AWS KMS does not synchronize these properties.

Regions

AWS KMS CloudFormation resources are available in all AWS Regions in which AWS KMS and AWS CloudFormation are supported. You can use the AWS::KMS::ReplicaKey resource to create replica keys in all Regions that support multi-Region KMS keys. For details, see Multi-Region keys in AWS KMS in the ** .

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.kms.*;
 Object keyPolicy;
 CfnReplicaKey cfnReplicaKey = CfnReplicaKey.Builder.create(this, "MyCfnReplicaKey")
         .keyPolicy(keyPolicy)
         .primaryKeyArn("primaryKeyArn")
         // the properties below are optional
         .description("description")
         .enabled(false)
         .pendingWindowInDays(123)
         .tags(List.of(CfnTag.builder()
                 .key("key")
                 .value("value")
                 .build()))
         .build();

See Also:

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnReplicaKey

      protected CfnReplicaKey(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnReplicaKey

      protected CfnReplicaKey(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnReplicaKey

      @Stability(Stable) public CfnReplicaKey(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnReplicaKeyProps props)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties. This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      The Amazon Resource Name (ARN) of the replica key, such as arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab .

      The key ARNs of related multi-Region keys differ only in the Region value. For information about the key ARNs of multi-Region keys, see How multi-Region keys work in the AWS Key Management Service Developer Guide .

    • getAttrKeyId

      @Stability(Stable) @NotNull public String getAttrKeyId()
      The key ID of the replica key, such as mrk-1234abcd12ab34cd56ef1234567890ab .

      Related multi-Region keys have the same key ID. For information about the key IDs of multi-Region keys, see How multi-Region keys work in the AWS Key Management Service Developer Guide .

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getTags

      @Stability(Stable) @NotNull public TagManager getTags()
      Tag Manager which manages the tags for this resource.
      Specified by:
      getTags in interface ITaggable

    • getKeyPolicy

      @Stability(Stable) @NotNull public Object getKeyPolicy()
      The key policy that authorizes use of the replica key.

    • setKeyPolicy

      @Stability(Stable) public void setKeyPolicy(@NotNull Object value)
      The key policy that authorizes use of the replica key.

    • getPrimaryKeyArn

      @Stability(Stable) @NotNull public String getPrimaryKeyArn()
      Specifies the multi-Region primary key to replicate.

    • setPrimaryKeyArn

      @Stability(Stable) public void setPrimaryKeyArn(@NotNull String value)
      Specifies the multi-Region primary key to replicate.

    • getDescription

      @Stability(Stable) @Nullable public String getDescription()
      A description of the KMS key.

    • setDescription

      @Stability(Stable) public void setDescription(@Nullable String value)
      A description of the KMS key.

    • getEnabled

      @Stability(Stable) @Nullable public Object getEnabled()
      Specifies whether the replica key is enabled.

      Disabled KMS keys cannot be used in cryptographic operations.

    • setEnabled

      @Stability(Stable) public void setEnabled(@Nullable Boolean value)
      Specifies whether the replica key is enabled.

      Disabled KMS keys cannot be used in cryptographic operations.

    • setEnabled

      @Stability(Stable) public void setEnabled(@Nullable IResolvable value)
      Specifies whether the replica key is enabled.

      Disabled KMS keys cannot be used in cryptographic operations.

    • getPendingWindowInDays

      @Stability(Stable) @Nullable public Number getPendingWindowInDays()
      Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack.

    • setPendingWindowInDays

      @Stability(Stable) public void setPendingWindowInDays(@Nullable Number value)
      Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack.

    • getTagsRaw

      @Stability(Stable) @Nullable public List<CfnTag> getTagsRaw()
      Assigns one or more tags to the replica key.

    • setTagsRaw

      @Stability(Stable) public void setTagsRaw(@Nullable List<CfnTag> value)
      Assigns one or more tags to the replica key.