UpdateCustomKeyStore
Changes the properties of a custom key store. You can use this operation to change the properties of an AWS CloudHSM key store or an external key store.
Use the required CustomKeyStoreId
parameter to identify the custom key store.
Use the remaining optional parameters to change its properties. This operation does not return
any property values. To verify the updated property values, use the DescribeCustomKeyStores operation.
This operation is part of the custom key stores feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a key store that you own and manage.
Important
When updating the properties of an external key store, verify that the updated settings connect your key store, via the external key store proxy, to the same external key manager as the previous settings, or to a backup or snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, you can fix them and retry, although an extended delay might disrupt AWS services. However, if AWS KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable.
Note
For external key stores:
Some external key managers provide a simpler method for updating an external key store. For details, see your external key manager documentation.
When updating an external key store in the AWS KMS console, you can upload a JSON-based
proxy configuration file with the desired values. You cannot upload the proxy configuration
file to the UpdateCustomKeyStore
operation. However, you can use the file to
help you determine the correct values for the UpdateCustomKeyStore
parameters.
For an AWS CloudHSM key store, you can use this operation to change the custom key store friendly
name (NewCustomKeyStoreName
), to tell AWS KMS about a change to the
kmsuser
crypto user password (KeyStorePassword
), or to associate
the custom key store with a different, but related, AWS CloudHSM cluster
(CloudHsmClusterId
). To update any property of an AWS CloudHSM key store, the
ConnectionState
of the AWS CloudHSM key store must be DISCONNECTED
.
For an external key store, you can use this operation to change the custom key store
friendly name (NewCustomKeyStoreName
), or to tell AWS KMS about a change to the
external key store proxy authentication credentials
(XksProxyAuthenticationCredential
), connection method
(XksProxyConnectivity
), external proxy endpoint
(XksProxyUriEndpoint
) and path (XksProxyUriPath
). For external key
stores with an XksProxyConnectivity
of VPC_ENDPOINT_SERVICE
, you can
also update the Amazon VPC endpoint service name (XksProxyVpcEndpointServiceName
). To
update most properties of an external key store, the ConnectionState
of the
external key store must be DISCONNECTED
. However, you can update the
CustomKeyStoreName
, XksProxyAuthenticationCredential
, and
XksProxyUriPath
of an external key store when it is in the CONNECTED or
DISCONNECTED state.
If your update requires a DISCONNECTED
state, before using
UpdateCustomKeyStore
, use the DisconnectCustomKeyStore
operation to disconnect the custom key store. After the UpdateCustomKeyStore
operation completes, use the ConnectCustomKeyStore to reconnect the custom
key store. To find the ConnectionState
of the custom key store, use the DescribeCustomKeyStores operation.
Before updating the custom key store, verify that the new values allow AWS KMS to connect
the custom key store to its backing key store. For example, before you change the
XksProxyUriPath
value, verify that the external key store proxy is reachable at
the new path.
If the operation succeeds, it returns a JSON object with no properties.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:UpdateCustomKeyStore (IAM policy)
Related operations:
Eventual consistency: The AWS KMS API follows an eventual consistency model. For more information, see AWS KMS eventual consistency.
Request Syntax
{
"CloudHsmClusterId": "string
",
"CustomKeyStoreId": "string
",
"KeyStorePassword": "string
",
"NewCustomKeyStoreName": "string
",
"XksProxyAuthenticationCredential": {
"AccessKeyId": "string
",
"RawSecretAccessKey": "string
"
},
"XksProxyConnectivity": "string
",
"XksProxyUriEndpoint": "string
",
"XksProxyUriPath": "string
",
"XksProxyVpcEndpointServiceName": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
Note
In the following list, the required parameters are described first.
- CustomKeyStoreId
-
Identifies the custom key store that you want to update. Enter the ID of the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Required: Yes
- CloudHsmClusterId
-
Associates the custom key store with a related AWS CloudHSM cluster. This parameter is valid only for custom key stores with a
CustomKeyStoreType
ofAWS_CLOUDHSM
.Enter the cluster ID of the cluster that you used to create the custom key store or a cluster that shares a backup history and has the same cluster certificate as the original cluster. You cannot use this parameter to associate a custom key store with an unrelated cluster. In addition, the replacement cluster must fulfill the requirements for a cluster associated with a custom key store. To view the cluster certificate of a cluster, use the DescribeClusters operation.
To change this value, the AWS CloudHSM key store must be disconnected.
Type: String
Length Constraints: Minimum length of 19. Maximum length of 24.
Pattern:
cluster-[2-7a-zA-Z]{11,16}
Required: No
- KeyStorePassword
-
Enter the current password of the
kmsuser
crypto user (CU) in the AWS CloudHSM cluster that is associated with the custom key store. This parameter is valid only for custom key stores with aCustomKeyStoreType
ofAWS_CLOUDHSM
.This parameter tells AWS KMS the current password of the
kmsuser
crypto user (CU). It does not set or change the password of any users in the AWS CloudHSM cluster.To change this value, the AWS CloudHSM key store must be disconnected.
Type: String
Length Constraints: Minimum length of 7. Maximum length of 32.
Required: No
- NewCustomKeyStoreName
-
Changes the friendly name of the custom key store to the value that you specify. The custom key store name must be unique in the AWS account.
Important
Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
To change this value, an AWS CloudHSM key store must be disconnected. An external key store can be connected or disconnected.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Required: No
- XksProxyAuthenticationCredential
-
Changes the credentials that AWS KMS uses to sign requests to the external key store proxy (XKS proxy). This parameter is valid only for custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.You must specify both the
AccessKeyId
andSecretAccessKey
value in the authentication credential, even if you are only updating one value.This parameter doesn't establish or change your authentication credentials on the proxy. It just tells AWS KMS the credential that you established with your external key store proxy. For example, if you rotate the credential on your external key store proxy, you can use this parameter to update the credential in AWS KMS.
You can change this value when the external key store is connected or disconnected.
Type: XksProxyAuthenticationCredentialType object
Required: No
- XksProxyConnectivity
-
Changes the connectivity setting for the external key store. To indicate that the external key store proxy uses a Amazon VPC endpoint service to communicate with AWS KMS, specify
VPC_ENDPOINT_SERVICE
. Otherwise, specifyPUBLIC_ENDPOINT
.If you change the
XksProxyConnectivity
toVPC_ENDPOINT_SERVICE
, you must also change theXksProxyUriEndpoint
and add anXksProxyVpcEndpointServiceName
value.If you change the
XksProxyConnectivity
toPUBLIC_ENDPOINT
, you must also change theXksProxyUriEndpoint
and specify a null or empty string for theXksProxyVpcEndpointServiceName
value.To change this value, the external key store must be disconnected.
Type: String
Valid Values:
PUBLIC_ENDPOINT | VPC_ENDPOINT_SERVICE
Required: No
- XksProxyUriEndpoint
-
Changes the URI endpoint that AWS KMS uses to connect to your external key store proxy (XKS proxy). This parameter is valid only for custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.For external key stores with an
XksProxyConnectivity
value ofPUBLIC_ENDPOINT
, the protocol must be HTTPS.For external key stores with an
XksProxyConnectivity
value ofVPC_ENDPOINT_SERVICE
, specifyhttps://
followed by the private DNS name associated with the VPC endpoint service. Each external key store must use a different private DNS name.The combined
XksProxyUriEndpoint
andXksProxyUriPath
values must be unique in the AWS account and Region.To change this value, the external key store must be disconnected.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 128.
Pattern:
^https://[a-zA-Z0-9.-]+$
Required: No
- XksProxyUriPath
-
Changes the base path to the proxy APIs for this external key store. To find this value, see the documentation for your external key manager and external key store proxy (XKS proxy). This parameter is valid only for custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.The value must start with
/
and must end with/kms/xks/v1
, wherev1
represents the version of the AWS KMS external key store proxy API. You can include an optional prefix between the required elements such as/example/kms/xks/v1
.The combined
XksProxyUriEndpoint
andXksProxyUriPath
values must be unique in the AWS account and Region.You can change this value when the external key store is connected or disconnected.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 128.
Pattern:
^(/[a-zA-Z0-9\/_-]+/kms/xks/v\d{1,2})$|^(/kms/xks/v\d{1,2})$
Required: No
- XksProxyVpcEndpointServiceName
-
Changes the name that AWS KMS uses to identify the Amazon VPC endpoint service for your external key store proxy (XKS proxy). This parameter is valid when the
CustomKeyStoreType
isEXTERNAL_KEY_STORE
and theXksProxyConnectivity
isVPC_ENDPOINT_SERVICE
.To change this value, the external key store must be disconnected.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 64.
Pattern:
^com\.amazonaws\.vpce\.([a-z]+-){2,3}\d+\.vpce-svc-[0-9a-z]+$
Required: No
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- CloudHsmClusterInvalidConfigurationException
-
The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration requirements for an AWS CloudHSM key store.
-
The AWS CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.
-
The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the AWS CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.
-
The AWS CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS CloudHSM CreateHsm operation.
For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
For information about the requirements for an AWS CloudHSM cluster that is associated with an AWS CloudHSM key store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information about creating a private subnet for an AWS CloudHSM cluster, see Create a Private Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the AWS CloudHSM User Guide .
HTTP Status Code: 400
-
- CloudHsmClusterNotActiveException
-
The request was rejected because the AWS CloudHSM cluster associated with the AWS CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the AWS CloudHSM User Guide.
HTTP Status Code: 400
- CloudHsmClusterNotFoundException
-
The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.
HTTP Status Code: 400
- CloudHsmClusterNotRelatedException
-
The request was rejected because the specified AWS CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster for an AWS CloudHSM key store.
Specify an AWS CloudHSM cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.
AWS CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an AWS CloudHSM cluster, use the DescribeClusters operation.
HTTP Status Code: 400
- CustomKeyStoreInvalidStateException
-
The request was rejected because of the
ConnectionState
of the custom key store. To get theConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.This exception is thrown under the following conditions:
-
You requested the ConnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orFAILED
. This operation is valid for all otherConnectionState
values. To reconnect a custom key store in aFAILED
state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore
). -
You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store
ConnectionState
isCONNECTED
. -
You requested the DisconnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orDISCONNECTED
. This operation is valid for all otherConnectionState
values. -
You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store
ConnectionState
isDISCONNECTED
. -
You requested the GenerateRandom operation in an AWS CloudHSM key store that is not connected. This operation is valid only when the AWS CloudHSM key store
ConnectionState
isCONNECTED
.
HTTP Status Code: 400
-
- CustomKeyStoreNameInUseException
-
The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.
HTTP Status Code: 400
- CustomKeyStoreNotFoundException
-
The request was rejected because AWS KMS cannot find a custom key store with the specified key store name or ID.
HTTP Status Code: 400
- KMSInternalException
-
The request was rejected because an internal exception occurred. The request can be retried.
HTTP Status Code: 500
- XksProxyIncorrectAuthenticationCredentialException
-
The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from AWS KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy.
HTTP Status Code: 400
- XksProxyInvalidConfigurationException
-
The request was rejected because the external key store proxy is not configured correctly. To identify the cause, see the error message that accompanies the exception.
HTTP Status Code: 400
- XksProxyInvalidResponseException
-
AWS KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor.
HTTP Status Code: 400
- XksProxyUriEndpointInUseException
-
The request was rejected because the
XksProxyUriEndpoint
is already associated with another external key store in this AWS Region. To identify the cause, see the error message that accompanies the exception.HTTP Status Code: 400
- XksProxyUriInUseException
-
The request was rejected because the concatenation of the
XksProxyUriEndpoint
andXksProxyUriPath
is already associated with another external key store in this AWS Region. Each external key store in a Region must use a unique external key store proxy API address.HTTP Status Code: 400
- XksProxyUriUnreachableException
-
AWS KMS was unable to reach the specified
XksProxyUriPath
. The path must be reachable before you create the external key store or update its settings.This exception is also thrown when the external key store proxy response to a
GetHealthStatus
request indicates that all external key manager instances are unavailable.HTTP Status Code: 400
- XksProxyVpcEndpointServiceInUseException
-
The request was rejected because the specified Amazon VPC endpoint service is already associated with another external key store in this AWS Region. Each external key store in a Region must use a different Amazon VPC endpoint service.
HTTP Status Code: 400
- XksProxyVpcEndpointServiceInvalidConfigurationException
-
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store. To identify the cause, see the error message that accompanies the exception and review the requirements for Amazon VPC endpoint service connectivity for an external key store.
HTTP Status Code: 400
- XksProxyVpcEndpointServiceNotFoundException
-
The request was rejected because AWS KMS could not find the specified VPC endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint service name for the external key store. Also, confirm that the
Allow principals
list for the VPC endpoint service includes the AWS KMS service principal for the Region, such ascks.kms.us-east-1.amazonaws.com
.HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: