AWS::Route53::KeySigningKey - AWS CloudFormation
SyntaxPropertiesReturn values

AWS::Route53::KeySigningKey

The AWS::Route53::KeySigningKey resource creates a new key-signing key (KSK) in a hosted zone. The hosted zone ID is passed as a parameter in the KSK properties. You can specify the properties of this KSK using the Name, Status, and KeyManagementServiceArn properties of the resource.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::Route53::KeySigningKey",
  "Properties" : {
      "HostedZoneId" : String,
      "KeyManagementServiceArn" : String,
      "Name" : String,
      "Status" : String
    }
}

YAML

Type: AWS::Route53::KeySigningKey
Properties:
  HostedZoneId: String
  KeyManagementServiceArn: String
  Name: String
  Status: String

Properties

HostedZoneId

The unique string (ID) that is used to identify a hosted zone. For example: Z00001111A1ABCaaABC11.

Required: Yes

Type: String

Pattern: ^[A-Z0-9]{1,32}$

Update requires: Replacement

KeyManagementServiceArn

The Amazon resource name (ARN) for a customer managed customer master key (CMK) in AWS Key Management Service (AWS KMS ). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. For example: arn:aws:kms:us-east-1:111122223333:key/111a2222-a11b-1ab1-2ab2-1ab21a2b3a111.

Required: Yes

Type: String

Minimum: 1

Maximum: 256

Update requires: Replacement

Name

A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9_]{3,128}$

Update requires: Replacement

Status

A string that represents the current key-signing key (KSK) status.

Status can have one of the following values:

ACTIVE

The KSK is being used for signing.

INACTIVE

The KSK is not being used for signing.

DELETING

The KSK is in the process of being deleted.

ACTION_NEEDED

There is a problem with the KSK that requires you to take action to resolve. For example, the customer managed key might have been deleted, or the permissions for the customer managed key might have been changed.

INTERNAL_FAILURE

There was an error during a request. Before you can continue to work with DNSSEC signing, including actions that involve this KSK, you must correct the problem. For example, you may need to activate or deactivate the KSK.

Required: Yes

Type: String

Allowed values: ACTIVE | INACTIVE

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a identifier that is based on both the hosted zone ID and the KSK name properties. For example:

{ "Ref": "Z00001111A1ABCaaABC11|KSK1" }

For more information about using the Ref function, see Ref.