Key type reference - AWS Key Management Service

Key type reference

AWS KMS supports different features for different types of KMS keys. For example, you can only use symmetric encryption KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric encryption KMS keys, and you can create only symmetric encryption KMS keys in a custom key store.

In addition to the information in this table, KMS keys can be used in the following AWS KMS special features.

  • Multi-Region keys:

    • All API operations that support symmetric KMS keys also support multi-Region symmetric KMS keys. All API operations that support asymmetric KMS keys also support multi-Region asymmetric KMS keys.

    • You can't create multi-Region keys in a custom key store.

  • Imported key material

    • Only symmetric encryption KMS keys can have imported key material.

    • Asymmetric KMS keys, HMAC KMS keys, and KMS keys in custom key stores cannot have imported key material.

    • Multi-Region symmetric encryption keys can have imported key material.

    • Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for keys with imported key material.

  • Custom key stores

    • Custom key stores support only symmetric KMS keys.

    • Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for keys in custom key stores.

    • You can't create multi-Region keys in custom key stores.

The following table lists the AWS KMS operations that you can use to create and manage KMS keys of each type. If you use the operation on a KMS key that doesn't not support it, the operation fails.

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation Symmetric encryption KMS keys HMAC KMS keys Asymmetric KMS keys (ENCRYPT_DECRYPT) Asymmetric KMS keys (SIGN_VERIFY)

CancelKeyDeletion

CreateAlias

CreateGrant

CreateKey

- With imported key material (Origin = EXTERNAL)

 

- In a custom key store (Origin = AWS_CLOUDHSM)

 

- Create a multi-Region primary key

Decrypt

DeleteAlias

DeleteImportedKeyMaterial

- Supported on multi-Region keys

- Not supported on asymmetric KMS keys, HMAC KMS keys or KMS keys in custom key stores.

DescribeKey

DisableKey

DisableKeyRotation

- Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material.

EnableKey

EnableKeyRotation

- Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material.

Encrypt

GenerateDataKey

GenerateDataKeyPair

[1]

GenerateDataKeyPairWithoutPlaintext

[1]

GenerateDataKeyWithoutPlaintext

GenerateMac

GetKeyPolicy

GetKeyRotationStatus

(KeyRotationEnabled will always be false.)

(KeyRotationEnabled will always be false.)

(KeyRotationEnabled will always be false.)

GetParametersForImport

- Supported on multi-Region keys

- Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material.

GetPublicKey

ImportKeyMaterial

- Supported on multi-Region keys

- Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material.

ListAliases

ListGrants

ListKeyPolicies

ListResourceTags

ListRetirableGrants

PutKeyPolicy

ReEncrypt

ReplicateKey

- Valid only on multi-Region keys

RetireGrant

RevokeGrant

ScheduleKeyDeletion

Sign

TagResource

UntagResource

UpdateAlias

The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric) and they must have the same key usage.

UpdateKeyDescription

UpdateReplicaRegion

- Valid only on multi-Region keys

Verify

VerifyMac

[1] GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric encryption KMS key.