Key type reference
AWS KMS supports different features for different types of KMS keys. For example, you can only use symmetric encryption KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric encryption KMS keys, and you can create only symmetric encryption KMS keys in a custom key store.
In addition to the information in this table, KMS keys can be used in the following AWS KMS special features.
-
-
All API operations that support symmetric KMS keys also support multi-Region symmetric KMS keys. All API operations that support asymmetric KMS keys also support multi-Region asymmetric KMS keys.
-
You can't create multi-Region keys in a custom key store.
-
-
-
Only symmetric encryption KMS keys can have imported key material.
-
Asymmetric KMS keys, HMAC KMS keys, and KMS keys in custom key stores cannot have imported key material.
-
Multi-Region symmetric encryption keys can have imported key material.
-
Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for keys with imported key material.
-
-
-
Custom key stores support only symmetric KMS keys.
-
Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for keys in custom key stores.
-
You can't create multi-Region keys in custom key stores.
-
The following table lists the AWS KMS operations that you can use to create and manage KMS keys of each type. If you use the operation on a KMS key that doesn't not support it, the operation fails.
You might need to scroll horizontally or vertically to see all of the data in this table.
| AWS KMS API operation | Symmetric encryption KMS keys | HMAC KMS keys | Asymmetric KMS keys (ENCRYPT_DECRYPT) | Asymmetric KMS keys (SIGN_VERIFY) |
|---|---|---|---|---|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- With imported key material (Origin = EXTERNAL)
- In a custom key store (Origin = AWS_CLOUDHSM)
- Create a multi-Region primary key |
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Supported on multi-Region keys - Not supported on asymmetric KMS keys, HMAC KMS keys or KMS keys in custom key stores. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material. |
|
|
|
|
|
|
|
|
|
|
|
- Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| GenerateMac | |
|
|
|
|
|
|
|
|
|
|
|
( |
( |
( |
|
|
- Supported on multi-Region keys - Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material. |
|
|
|
|
|
|
|
|
|
|
|
- Supported on multi-Region keys - Not supported on asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Valid only on multi-Region keys |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric) and they must have the same key usage. |
|
|
|
|
|
|
|
|
|
|
|
- Valid only on multi-Region keys |
|
|
|
|
|
|
|
|
|
|
| VerifyMac | |
|
|
|
[1] GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext
generate an asymmetric data key pair that is protected by a symmetric encryption KMS key.
