Key type reference

AWS KMS supports different features for different types of KMS keys. For example, you can only use symmetric encryption KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric encryption KMS keys, and you can create only symmetric encryption KMS keys in a custom key store.

This reference includes two tables.

• The Key type table lists the AWS KMS operations that are valid for symmetric encryption KMS keys, asymmetric KMS keys, and HMAC KMS keys.

• The Special features table lists the AWS KMS operations that are valid for multi-Region KMS keys, KMS keys with imported key material, and KMS keys in custom key stores.

Key type table

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation	Symmetric encryption KMS keys	HMAC KMS keys	Asymmetric KMS keys (ENCRYPT_DECRYPT)	Asymmetric KMS keys (SIGN_VERIFY)
CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey
Decrypt
DeleteAlias
DeleteImportedKeyMaterial	Valid only on KMS keys with imported key material (Origin is EXTERNAL).
DescribeKey
DisableKey
DisableKeyRotation	Valid only on KMS keys with AWS KMS key material (Origin is AWS_KMS).
EnableKey
EnableKeyRotation	Valid only on KMS keys with AWS KMS key material (Origin is AWS_KMS).
Encrypt
GenerateDataKey
GenerateDataKeyPair Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Not valid on KMS keys in custom key stores.
GenerateDataKeyPairWithoutPlaintext Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Not valid on KMS keys in custom key stores.
GenerateDataKeyWithoutPlaintext
GenerateMac
GetKeyPolicy
GetKeyRotationStatus		(KeyRotationEnabled will always be false.)	(KeyRotationEnabled will always be false.)	(KeyRotationEnabled will always be false.)
GetParametersForImport	Valid only on KMS keys with imported key material (Origin is EXTERNAL).
GetPublicKey
ImportKeyMaterial	Valid only on KMS keys with imported key material (Origin is EXTERNAL).
ListAliases
ListGrants
ListKeyPolicies
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt
ReplicateKey - Valid only on multi-Region keys
RetireGrant
RevokeGrant
ScheduleKeyDeletion
Sign
TagResource
UntagResource
UpdateAlias The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric or both HMAC) and they must have the same key usage.
UpdateKeyDescription
UpdateReplicaRegion - Valid only on multi-Region keys
Verify
VerifyMac

Special features table

This table shows the AWS KMS API operations that are supported on each type of special-purpose key.

While reading this table, be aware of the following interactions:

• Multi-Region keys:

  • Multi-Region keys can be symmetric encryption KMS keys, asymmetric KMS keys, HMAC KMS keys, and KMS keys with imported key material.

  • You cannot create multi-Region keys in a custom key store.

• Imported key material

  • Only symmetric encryption KMS keys can have imported key material.

  • You can create multi-Region keys with imported key material.

  • You cannot create keys with imported key material in a custom key store.

  • Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for KMS keys with imported key material.

• Custom key stores

  • Custom key stores support only symmetric encryption KMS keys.

  • Symmetric operations on asymmetric key pairs (GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext) are not supported on KMS keys in custom key stores.

  • Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported on KMS keys in custom key stores.

  • You cannot create multi-Region keys in custom key stores.

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation	Multi-Region keys	Imported key material	KMS keys in a custom key store
CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey You can use CreateKey to create a multi-Region primary key, a KMS key with imported key material, or a KMS key in a custom key store. To create a multi-Region replica key, use ReplicateKey.
Decrypt	Valid only when KeyUsage is ENCRYPT_DECRYPT
DeleteAlias
DeleteImportedKeyMaterial	Valid only for keys with imported key material (Origin is EXTERNAL)
DescribeKey
DisableKey
DisableKeyRotation	Valid only on symmetric encryption keys with AWS KMS key material (Origin is AWS_KMS).
EnableKey	Valid only on symmetric encryption KMS keys
EnableKeyRotation	Valid only on symmetric encryption keys with AWS KMS key material (Origin is AWS_KMS).
Encrypt	Valid only when KeyUsage is ENCRYPT_DECRYPT
GenerateDataKey	Valid only on symmetric encryption KMS keys
GenerateDataKeyPair	Valid only on symmetric encryption KMS keys
GenerateDataKeyPairWithoutPlaintext	Valid only on symmetric encryption KMS keys
GenerateDataKeyWithoutPlaintext	Valid only on symmetric encryption KMS keys
GenerateMac	Valid only on HMAC KMS keys
GetKeyPolicy
GetKeyRotationStatus		(KeyRotationEnabled will always be false.)
GetParametersForImport	Valid only for keys with imported key material (Origin is EXTERNAL).
GetPublicKey	Valid only for asymmetric KMS keys.
ImportKeyMaterial	Valid only for keys with imported key material (Origin is EXTERNAL).
ListAliases
ListGrants
ListKeyPolicies
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt	Valid only when KeyUsage is ENCRYPT_DECRYPT
ReplicateKey	Valid only on multi-Region primary keys.	Valid only on multi-Region primary keys.
RetireGrant
RevokeGrant
ScheduleKeyDeletion
Sign	Valid only on when KeyUsage is SIGN_VERIFY.
TagResource
UntagResource
UpdateAlias - The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric or both HMAC) and they must have the same key usage.
UpdateKeyDescription
UpdateReplicaRegion		Valid only on multi-Region keys.
Verify	Valid only when KeyUsage is SIGN_VERIFY.
VerifyMac	- Valid only on HMAC KMS keys