AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Name | Description | |
---|---|---|
![]() |
AliasListEntry | Contains information about an alias. |
![]() |
AlreadyExistsException | KeyManagementService exception |
![]() |
CancelKeyDeletionRequest |
Container for the parameters to the CancelKeyDeletion operation.
Cancels the deletion of a customer master key (CMK). When this operation is successful,
the CMK is set to the Disabled state. To enable a CMK, use EnableKey.
For more information about scheduling and canceling deletion of a CMK, go to Deleting Customer Master Keys in the AWS Key Management Service Developer Guide. |
![]() |
CancelKeyDeletionResponse | Configuration for accessing Amazon CancelKeyDeletion service |
![]() |
CancelKeyDeletionResult | |
![]() |
CreateAliasRequest |
Container for the parameters to the CreateAlias operation.
Creates a display name for a customer master key. An alias can be used to identify
a key and should be unique. The console enforces a one-to-one mapping between the
alias and a key. An alias name can contain only alphanumeric characters, forward slashes
(/), underscores (_), and dashes (-). An alias must start with the word "alias" followed
by a forward slash (alias/). An alias that begins with "aws" after the forward slash
(alias/aws...) is reserved by Amazon Web Services (AWS).
The alias and the key it is mapped to must be in the same AWS account and the same region. To map an alias to a different key, call UpdateAlias. |
![]() |
CreateAliasResponse | |
![]() |
CreateGrantRequest |
Container for the parameters to the CreateGrant operation.
Adds a grant to a key to specify who can use the key and under what conditions. Grants
are alternate permission mechanisms to key policies.
For more information about grants, see Grants in the AWS Key Management Service Developer Guide. |
![]() |
CreateGrantResponse | Configuration for accessing Amazon CreateGrant service |
![]() |
CreateGrantResult | |
![]() |
CreateKeyRequest | Container for the parameters to the CreateKey operation. Creates a customer master key. Customer master keys can be used to encrypt small amounts of data (less than 4K) directly, but they are most commonly used to encrypt or envelope data keys that are then used to encrypt customer data. For more information about data keys, see GenerateDataKey and GenerateDataKeyWithoutPlaintext. |
![]() |
CreateKeyResponse | Configuration for accessing Amazon CreateKey service |
![]() |
CreateKeyResult | |
![]() |
DecryptRequest |
Container for the parameters to the Decrypt operation.
Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted by
using any of the following functions:
Note that if a caller has been granted access permissions to all keys (through, for
example, IAM user policies that grant |
![]() |
DecryptResponse | Configuration for accessing Amazon Decrypt service |
![]() |
DecryptResult | |
![]() |
DeleteAliasRequest | Container for the parameters to the DeleteAlias operation. Deletes the specified alias. To map an alias to a different key, call UpdateAlias. |
![]() |
DeleteAliasResponse | |
![]() |
DependencyTimeoutException | KeyManagementService exception |
![]() |
DescribeKeyRequest | Container for the parameters to the DescribeKey operation. Provides detailed information about the specified customer master key. |
![]() |
DescribeKeyResponse | Configuration for accessing Amazon DescribeKey service |
![]() |
DescribeKeyResult | |
![]() |
DisabledException | KeyManagementService exception |
![]() |
DisableKeyRequest | Container for the parameters to the DisableKey operation. Sets the state of a master key to disabled, thereby preventing its use for cryptographic operations. For more information about how key state affects the use of a master key, go to How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide. |
![]() |
DisableKeyResponse | |
![]() |
DisableKeyRotationRequest | Container for the parameters to the DisableKeyRotation operation. Disables rotation of the specified key. |
![]() |
DisableKeyRotationResponse | |
![]() |
EnableKeyRequest | Container for the parameters to the EnableKey operation. Marks a key as enabled, thereby permitting its use. |
![]() |
EnableKeyResponse | |
![]() |
EnableKeyRotationRequest | Container for the parameters to the EnableKeyRotation operation. Enables rotation of the specified customer master key. |
![]() |
EnableKeyRotationResponse | |
![]() |
EncryptRequest |
Container for the parameters to the Encrypt operation.
Encrypts plaintext into ciphertext by using a customer master key. The Encrypt
function has two primary use cases:
Unless you are moving encrypted data from one region to another, you don't use this
function to encrypt a generated data key within a region. You retrieve data keys already
encrypted by calling the GenerateDataKey or GenerateDataKeyWithoutPlaintext
function. Data keys don't need to be encrypted again by calling
If you want to encrypt data locally in your application, you can use the |
![]() |
EncryptResponse | Configuration for accessing Amazon Encrypt service |
![]() |
EncryptResult | |
![]() |
GenerateDataKeyRequest |
Container for the parameters to the GenerateDataKey operation.
Generates a data key that you can use in your application to locally encrypt data.
This call returns a plaintext version of the key in the Plaintext field
of the response object and an encrypted copy of the key in the CiphertextBlob
field. The key is encrypted by using the master key specified by the KeyId
field. To decrypt the encrypted key, pass it to the Decrypt API.
We recommend that you use the following pattern to locally encrypt data: call the
Encrypt function to re-encrypt your data
keys within a region. GenerateDataKey always returns the data key encrypted
and tied to the customer master key that will be used to decrypt it. There is no need
to decrypt it twice.
If you decide to use the optional
To decrypt data, pass the encrypted data key to the |
![]() |
GenerateDataKeyResponse | Configuration for accessing Amazon GenerateDataKey service |
![]() |
GenerateDataKeyResult | |
![]() |
GenerateDataKeyWithoutPlaintextRequest | Container for the parameters to the GenerateDataKeyWithoutPlaintext operation. Returns a data key encrypted by a customer master key without the plaintext copy of that key. Otherwise, this API functions exactly like GenerateDataKey. You can use this API to, for example, satisfy an audit requirement that an encrypted key be made available without exposing the plaintext copy of that key. |
![]() |
GenerateDataKeyWithoutPlaintextResponse | Configuration for accessing Amazon GenerateDataKeyWithoutPlaintext service |
![]() |
GenerateDataKeyWithoutPlaintextResult | |
![]() |
GenerateRandomRequest | Container for the parameters to the GenerateRandom operation. Generates an unpredictable byte string. |
![]() |
GenerateRandomResponse | Configuration for accessing Amazon GenerateRandom service |
![]() |
GenerateRandomResult | |
![]() |
GetKeyPolicyRequest | Container for the parameters to the GetKeyPolicy operation. Retrieves a policy attached to the specified key. |
![]() |
GetKeyPolicyResponse | Configuration for accessing Amazon GetKeyPolicy service |
![]() |
GetKeyPolicyResult | |
![]() |
GetKeyRotationStatusRequest | Container for the parameters to the GetKeyRotationStatus operation. Retrieves a Boolean value that indicates whether key rotation is enabled for the specified key. |
![]() |
GetKeyRotationStatusResponse | Configuration for accessing Amazon GetKeyRotationStatus service |
![]() |
GetKeyRotationStatusResult | |
![]() |
GrantConstraints |
A structure for specifying the conditions under which the operations permitted by
the grant are allowed.
You can use this structure to allow the operations permitted by the grant only when a specified encryption context is present. For more information about encryption context, see Encryption Context in the AWS Key Management Service Developer Guide. |
![]() |
GrantListEntry | Contains information about an entry in a list of grants. |
![]() |
InvalidAliasNameException | KeyManagementService exception |
![]() |
InvalidArnException | KeyManagementService exception |
![]() |
InvalidCiphertextException | KeyManagementService exception |
![]() |
InvalidGrantIdException | KeyManagementService exception |
![]() |
InvalidGrantTokenException | KeyManagementService exception |
![]() |
InvalidKeyUsageException | KeyManagementService exception |
![]() |
InvalidMarkerException | KeyManagementService exception |
![]() |
KeyListEntry | Contains information about each entry in the key list. |
![]() |
KeyMetadata |
Contains metadata about a customer master key (CMK).
This data type is used as a response element for the CreateKey and DescribeKey operations. |
![]() |
KeyUnavailableException | KeyManagementService exception |
![]() |
KMSInternalException | KeyManagementService exception |
![]() |
KMSInvalidStateException | KeyManagementService exception |
![]() |
LimitExceededException | KeyManagementService exception |
![]() |
ListAliasesRequest | Container for the parameters to the ListAliases operation. Lists all of the key aliases in the account. |
![]() |
ListAliasesResponse | Configuration for accessing Amazon ListAliases service |
![]() |
ListAliasesResult | |
![]() |
ListGrantsRequest | Container for the parameters to the ListGrants operation. List the grants for a specified key. |
![]() |
ListGrantsResponse | Configuration for accessing Amazon ListGrants service |
![]() |
ListGrantsResult | |
![]() |
ListKeyPoliciesRequest | Container for the parameters to the ListKeyPolicies operation. Retrieves a list of policies attached to a key. |
![]() |
ListKeyPoliciesResponse | Configuration for accessing Amazon ListKeyPolicies service |
![]() |
ListKeyPoliciesResult | |
![]() |
ListKeysRequest | Container for the parameters to the ListKeys operation. Lists the customer master keys. |
![]() |
ListKeysResponse | Configuration for accessing Amazon ListKeys service |
![]() |
ListKeysResult | |
![]() |
ListRetirableGrantsRequest |
Container for the parameters to the ListRetirableGrants operation.
Returns a list of all grants for which the grant's RetiringPrincipal
matches the one specified.
A typical use is to list all grants that you are able to retire. To retire a grant, use RetireGrant. |
![]() |
ListRetirableGrantsResponse | Configuration for accessing Amazon ListRetirableGrants service |
![]() |
ListRetirableGrantsResult | |
![]() |
MalformedPolicyDocumentException | KeyManagementService exception |
![]() |
NotFoundException | KeyManagementService exception |
![]() |
PutKeyPolicyRequest | Container for the parameters to the PutKeyPolicy operation. Attaches a policy to the specified key. |
![]() |
PutKeyPolicyResponse | |
![]() |
ReEncryptRequest |
Container for the parameters to the ReEncrypt operation.
Encrypts data on the server side with a new customer master key without exposing the
plaintext of the data on the client side. The data is first decrypted and then encrypted.
This operation can also be used to change the encryption context of a ciphertext.
Unlike other actions, |
![]() |
ReEncryptResponse | Configuration for accessing Amazon ReEncrypt service |
![]() |
ReEncryptResult | |
![]() |
RetireGrantRequest |
Container for the parameters to the RetireGrant operation.
Retires a grant. You can retire a grant when you're done using it to clean up. You
should revoke a grant when you intend to actively deny operations that depend on it.
The following are permitted to call this API:
CreateGrant
function.
|
![]() |
RetireGrantResponse | |
![]() |
RevokeGrantRequest | Container for the parameters to the RevokeGrant operation. Revokes a grant. You can revoke a grant to actively deny operations that depend on it. |
![]() |
RevokeGrantResponse | |
![]() |
ScheduleKeyDeletionRequest |
Container for the parameters to the ScheduleKeyDeletion operation.
Schedules the deletion of a customer master key (CMK). You may provide a waiting period,
specified in days, before deletion occurs. If you do not provide a waiting period,
the default period of 30 days is used. When this operation is successful, the state
of the CMK changes to PendingDeletion . Before the waiting period ends,
you can use CancelKeyDeletion to cancel the deletion of the CMK. After the
waiting period ends, AWS KMS deletes the CMK and all AWS KMS data associated with
it, including all aliases that point to it.
Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, all data that was encrypted under the CMK is rendered unrecoverable. To restrict the use of a CMK without deleting it, use DisableKey. For more information about scheduling a CMK for deletion, go to Deleting Customer Master Keys in the AWS Key Management Service Developer Guide. |
![]() |
ScheduleKeyDeletionResponse | Configuration for accessing Amazon ScheduleKeyDeletion service |
![]() |
ScheduleKeyDeletionResult | |
![]() |
UnsupportedOperationException | KeyManagementService exception |
![]() |
UpdateAliasRequest |
Container for the parameters to the UpdateAlias operation.
Updates an alias to map it to a different key.
An alias is not a property of a key. Therefore, an alias can be mapped to and unmapped from an existing key without changing the properties of the key. An alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). An alias must start with the word "alias" followed by a forward slash (alias/). An alias that begins with "aws" after the forward slash (alias/aws...) is reserved by Amazon Web Services (AWS). The alias and the key it is mapped to must be in the same AWS account and the same region. |
![]() |
UpdateAliasResponse | |
![]() |
UpdateKeyDescriptionRequest | Container for the parameters to the UpdateKeyDescription operation. Updates the description of a key. |
![]() |
UpdateKeyDescriptionResponse |