Key type reference

AWS KMS supports different features for different types of KMS keys. For example, you can only use symmetric encryption KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric encryption KMS keys, and you can create only symmetric encryption KMS keys in a custom key store.

This reference includes two tables.

The Key type table lists the AWS KMS operations that are valid for symmetric encryption KMS keys, asymmetric KMS keys, and HMAC KMS keys.
The Special features table lists the AWS KMS operations that are valid for multi-Region KMS keys, KMS keys with imported key material, and KMS keys in custom key stores.

Key type table

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation	Symmetric encryption KMS keys	HMAC KMS keys	Asymmetric KMS keys (ENCRYPT_DECRYPT)	Asymmetric KMS keys (SIGN_VERIFY)	Asymmetric KMS keys (KEY_AGREEMENT)
CancelKeyDeletion	Yes	Yes	Yes	Yes	Yes
CreateAlias	Yes	Yes	Yes	Yes	Yes
CreateGrant	Yes	Yes	Yes	Yes	Yes
CreateKey	Yes	Yes	Yes	Yes	Yes
Decrypt	Yes	No	Yes	No	No
DeleteAlias	Yes	Yes	Yes	Yes	Yes
DeleteImportedKeyMaterial Valid only on KMS keys with imported key material (`Origin` is `EXTERNAL`).	Yes	Yes	Yes	Yes	Yes
DeriveSharedSecret	No	No	No	No	Yes
DescribeKey	Yes	Yes	Yes	Yes	Yes
DisableKey	Yes	Yes	Yes	Yes	Yes
DisableKeyRotation	Yes Valid only on KMS keys with AWS KMS key material (`Origin` is `AWS_KMS`).	No	No	No	No
EnableKey	Yes	Yes	Yes	Yes	Yes
EnableKeyRotation	Yes Valid only on KMS keys with AWS KMS key material (`Origin` is `AWS_KMS`).	No	No	No	No
Encrypt	Yes	No	Yes	No	No
GenerateDataKey	Yes	No	No	No	No
GenerateDataKeyPair Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Yes Not valid on KMS keys in custom key stores.	No	No	No	No
GenerateDataKeyPairWithoutPlaintext Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Yes Not valid on KMS keys in custom key stores.	No	No	No	No
GenerateDataKeyWithoutPlaintext	Yes	No	No	No	No
GenerateMac	No	Yes	No	No	No
GetKeyPolicy	Yes	Yes	Yes	Yes	Yes
GetKeyRotationStatus	Yes	Yes (`KeyRotationEnabled` will always be `false`.)	Yes (`KeyRotationEnabled` will always be `false`.)	Yes (`KeyRotationEnabled` will always be `false`.)	Yes (`KeyRotationEnabled` will always be `false`.)
GetParametersForImport Valid only on KMS keys with imported key material (`Origin` is `EXTERNAL`).	Yes	Yes	Yes	Yes	Yes
GetPublicKey	No	No	Yes	Yes	Yes
ImportKeyMaterial Valid only on KMS keys with imported key material (`Origin` is `EXTERNAL`).	Yes	Yes	Yes	Yes	Yes
ListAliases	Yes	Yes	Yes	Yes	Yes
ListGrants	Yes	Yes	Yes	Yes	Yes
ListKeyPolicies	Yes	Yes	Yes	Yes	Yes
ListKeyRotations	Yes	Yes (The `Rotations` field will always be null or empty.)	Yes (The `Rotations` field will always be null or empty.)	Yes (The `Rotations` field will always be null or empty.)	Yes (The `Rotations` field will always be null or empty.)
ListResourceTags	Yes	Yes	Yes	Yes	Yes
ListRetirableGrants	Yes	Yes	Yes	Yes	Yes
PutKeyPolicy	Yes	Yes	Yes	Yes	Yes
ReEncrypt	Yes	No	Yes	No	No
ReplicateKey - Valid only on multi-Region keys	Yes	Yes	Yes	Yes	Yes
RetireGrant	Yes	Yes	Yes	Yes	Yes
RevokeGrant	Yes	Yes	Yes	Yes	Yes
RotateKeyOnDemand	Yes Valid only on customer-managed, symmetric encryption KMS keys with `AWS_KMS` or `EXTERNAL` origin.	No	No	No	No
ScheduleKeyDeletion	Yes	Yes	Yes	Yes	Yes
Sign	No	No	No	Yes	No
TagResource	Yes	Yes	Yes	Yes	Yes
UntagResource	Yes	Yes	Yes	Yes	Yes
UpdateAlias The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric or both HMAC) and they must have the same key usage.	Yes	Yes	Yes	Yes	Yes
UpdateKeyDescription	Yes	Yes	Yes	Yes	Yes
UpdateReplicaRegion - Valid only on multi-Region keys	Yes	Yes	Yes	Yes	Yes
Verify	No	No	No	Yes	No
VerifyMac	No	Yes	No	No	No

Special features table

This table shows the AWS KMS API operations that are supported on each type of special-purpose key.

While reading this table, be aware of the following interactions:

Multi-Region keys:
- Multi-Region keys can be symmetric encryption KMS keys, asymmetric KMS keys, HMAC KMS keys, and KMS keys with imported key material.
- You cannot create multi-Region keys in a custom key store.
Imported key material
- You can import key material for symmetric encryption KMS keys, asymmetric KMS keys, and HMAC KMS keys.
- You can create multi-Region keys with imported key material.
- You cannot create keys with imported key material in a custom key store.
- Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported for KMS keys with imported key material.
- On-demand key rotation (RotateKeyOnDemand) is supported for single-Region, symmetric encryption KMS keys with imported key material.
Custom key stores
- Custom key stores support only symmetric encryption KMS keys.
- Symmetric operations on asymmetric key pairs (GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext) are not supported on KMS keys in custom key stores.
- Automatic key rotation (EnableKeyRotation, DisableKeyRotation) is not supported on KMS keys in custom key stores.
- You cannot create multi-Region keys in custom key stores.

You might need to scroll horizontally or vertically to see all of the data in this table.

AWS KMS API operation	Multi-Region keys	Imported key material
CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey You can use `CreateKey` to create a multi-Region primary key, a KMS key with imported key material, or a KMS key in a custom key store. To create a multi-Region replica key, use `ReplicateKey`.
Decrypt	Valid only when `KeyUsage` is `ENCRYPT_DECRYPT`
DeleteAlias
DeleteImportedKeyMaterial	Valid only for keys with imported key material (`Origin` is `EXTERNAL`)
DeriveSharedSecret	Valid only when `KeyUsage` is `KEY_AGREEMENT`)	Valid only when `KeyUsage` is `KEY_AGREEMENT`)
DescribeKey
DisableKey
DisableKeyRotation	Valid only on symmetric encryption keys with AWS KMS key material (`Origin` is `AWS_KMS`).
EnableKey	Valid only on symmetric encryption KMS keys
EnableKeyRotation	Valid only on symmetric encryption keys with AWS KMS key material (`Origin` is `AWS_KMS`).
Encrypt	Valid only when `KeyUsage` is `ENCRYPT_DECRYPT`
GenerateDataKey	Valid only on symmetric encryption KMS keys
GenerateDataKeyPair	Valid only on symmetric encryption KMS keys
GenerateDataKeyPairWithoutPlaintext	Valid only on symmetric encryption KMS keys
GenerateDataKeyWithoutPlaintext	Valid only on symmetric encryption KMS keys
GenerateMac Valid only on HMAC KMS keys
GetKeyPolicy
GetKeyRotationStatus		(`KeyRotationEnabled` will always be `false`.)
GetParametersForImport	Valid only for keys with imported key material (`Origin` is `EXTERNAL`).
GetPublicKey Valid only for asymmetric KMS keys.
ImportKeyMaterial	Valid only for keys with imported key material (`Origin` is `EXTERNAL`).
ListAliases
ListGrants
ListKeyPolicies
ListKeyRotations	Valid only on symmetric encryption keys with `AWS_KMS` origin.	Valid only on single-Region symmetric encryption keys.
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt	Valid only when `KeyUsage` is `ENCRYPT_DECRYPT`
ReplicateKey	Valid only on multi-Region primary keys.	Valid only on multi-Region primary keys.
RetireGrant
RevokeGrant
RotateKeyOnDemand	Valid only on symmetric encryption keys with `AWS_KMS` origin.	Valid only on single-Region symmetric encryption keys.
ScheduleKeyDeletion
Sign Valid only on when `KeyUsage` is `SIGN_VERIFY`.
TagResource
UntagResource
UpdateAlias - The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric or both HMAC) and they must have the same key usage.
UpdateKeyDescription
UpdateReplicaRegion		Valid only on multi-Region keys.
Verify Valid only when `KeyUsage` is `SIGN_VERIFY`.
VerifyMac Valid only on HMAC KMS keys

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Key state reference

Key spec reference