Key type reference - AWS Key Management Service

Key type reference

AWS KMS supports different features for different types of KMS keys. For example, you can only use symmetric encryption KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric encryption KMS keys, and you can create only symmetric encryption KMS keys in a custom key store.

This reference includes two tables.

  • The Key type table lists the AWS KMS operations that are valid for symmetric encryption KMS keys, asymmetric KMS keys, and HMAC KMS keys.

  • The Special features table lists the AWS KMS operations that are valid for multi-Region KMS keys, KMS keys with imported key material, and KMS keys in custom key stores.

Key type table

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation Symmetric encryption KMS keys HMAC KMS keys Asymmetric KMS keys (ENCRYPT_DECRYPT) Asymmetric KMS keys (SIGN_VERIFY)

CancelKeyDeletion

CreateAlias

CreateGrant

CreateKey

Decrypt

DeleteAlias

DeleteImportedKeyMaterial

Valid only on KMS keys with imported key material (Origin is EXTERNAL).

DescribeKey

DisableKey

DisableKeyRotation

Valid only on KMS keys with AWS KMS key material (Origin is AWS_KMS).

EnableKey

EnableKeyRotation

Valid only on KMS keys with AWS KMS key material (Origin is AWS_KMS).

Encrypt

GenerateDataKey

GenerateDataKeyPair

Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.

Not valid on KMS keys in custom key stores.

GenerateDataKeyPairWithoutPlaintext

Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.

Not valid on KMS keys in custom key stores.

GenerateDataKeyWithoutPlaintext

GenerateMac

GetKeyPolicy

GetKeyRotationStatus

(KeyRotationEnabled will always be false.)

(KeyRotationEnabled will always be false.)

(KeyRotationEnabled will always be false.)

GetParametersForImport

Valid only on KMS keys with imported key material (Origin is EXTERNAL).

GetPublicKey

ImportKeyMaterial

Valid only on KMS keys with imported key material (Origin is EXTERNAL).

ListAliases

ListGrants

ListKeyPolicies

ListResourceTags

ListRetirableGrants

PutKeyPolicy

ReEncrypt

ReplicateKey

- Valid only on multi-Region keys

RetireGrant

RevokeGrant

ScheduleKeyDeletion

Sign

TagResource

UntagResource

UpdateAlias

The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric or both HMAC) and they must have the same key usage.

UpdateKeyDescription

UpdateReplicaRegion

- Valid only on multi-Region keys

Verify

VerifyMac

Special features table

This table shows the AWS KMS API operations that are supported on each type of special-purpose key.

While reading this table, be aware of the following interactions:

  • Multi-Region keys:

    • Multi-Region keys can be symmetric encryption KMS keys, asymmetric KMS keys, HMAC KMS keys, and KMS keys with imported key material.

    • You cannot create multi-Region keys in a custom key store.

  • Imported key material

    • Only symmetric encryption KMS keys can have imported key material.

    • You can create multi-Region keys with imported key material.

    • You cannot create keys with imported key material in a custom key store.

    • Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for KMS keys with imported key material.

  • Custom key stores

    • Custom key stores support only symmetric encryption KMS keys.

    • Symmetric operations on asymmetric key pairs (GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext) are not supported on KMS keys in custom key stores.

    • Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported on KMS keys in custom key stores.

    • You cannot create multi-Region keys in custom key stores.

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation Multi-Region keys Imported key material KMS keys in a custom key store

CancelKeyDeletion

CreateAlias

CreateGrant

CreateKey

You can use CreateKey to create a multi-Region primary key, a KMS key with imported key material, or a KMS key in a custom key store. To create a multi-Region replica key, use ReplicateKey.

Decrypt

Valid only when KeyUsage is ENCRYPT_DECRYPT

DeleteAlias

DeleteImportedKeyMaterial

Valid only for keys with imported key material (Origin is EXTERNAL)

DescribeKey

DisableKey

DisableKeyRotation

Valid only on symmetric encryption keys with AWS KMS key material (Origin is AWS_KMS).

EnableKey

Valid only on symmetric encryption KMS keys

EnableKeyRotation

Valid only on symmetric encryption keys with AWS KMS key material (Origin is AWS_KMS).

Encrypt

Valid only when KeyUsage is ENCRYPT_DECRYPT

GenerateDataKey

Valid only on symmetric encryption KMS keys

GenerateDataKeyPair

Valid only on symmetric encryption KMS keys

GenerateDataKeyPairWithoutPlaintext

Valid only on symmetric encryption KMS keys

GenerateDataKeyWithoutPlaintext

Valid only on symmetric encryption KMS keys

GenerateMac

Valid only on HMAC KMS keys

GetKeyPolicy

GetKeyRotationStatus

(KeyRotationEnabled will always be false.)

GetParametersForImport

Valid only for keys with imported key material (Origin is EXTERNAL).

GetPublicKey

Valid only for asymmetric KMS keys.

ImportKeyMaterial

Valid only for keys with imported key material (Origin is EXTERNAL).

ListAliases

ListGrants

ListKeyPolicies

ListResourceTags

ListRetirableGrants

PutKeyPolicy

ReEncrypt

Valid only when KeyUsage is ENCRYPT_DECRYPT

ReplicateKey

Valid only on multi-Region primary keys.

Valid only on multi-Region primary keys.

RetireGrant

RevokeGrant

ScheduleKeyDeletion

Sign

Valid only on when KeyUsage is SIGN_VERIFY.

TagResource

UntagResource

UpdateAlias

- The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric or both HMAC) and they must have the same key usage.

UpdateKeyDescription

UpdateReplicaRegion

Valid only on multi-Region keys.

Verify

Valid only when KeyUsage is SIGN_VERIFY.

VerifyMac

- Valid only on HMAC KMS keys