AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Name | Description | |
---|---|---|
AliasListEntry |
Contains information about an alias. |
|
AlreadyExistsException |
The request was rejected because it attempted to create a resource that already exists. |
|
CancelKeyDeletionRequest |
Container for the parameters to the CancelKeyDeletion operation.
Cancels the deletion of a KMS key. When this operation succeeds, the key state of
the KMS key is For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the Key Management Service Developer Guide. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:CancelKeyDeletion (key policy) Related operations: ScheduleKeyDeletion Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
CancelKeyDeletionResponse |
This is the response object from the CancelKeyDeletion operation. |
|
CloudHsmClusterInUseException |
The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a different CloudHSM cluster. CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters operation. |
|
CloudHsmClusterInvalidConfigurationException |
The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.
For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide. |
|
CloudHsmClusterNotActiveException |
The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide. |
|
CloudHsmClusterNotFoundException |
The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID. |
|
CloudHsmClusterNotRelatedException |
The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key store. Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster. CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters operation. |
|
ConflictException |
The request was rejected because an automatic rotation of this key is currently in progress or scheduled to begin within the next 20 minutes. |
|
ConnectCustomKeyStoreRequest |
Container for the parameters to the ConnectCustomKeyStore operation.
Connects or reconnects a custom
key store to its backing key store. For an CloudHSM key store, The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it contains. You can disconnect and reconnect a custom key store at any time. The connection process for a custom key store can take an extended amount of time to complete. This operation starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the custom key store is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation. This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.
The
To fix the failure, use the DisconnectCustomKeyStore operation to disconnect
the custom key store, correct the error, use the UpdateCustomKeyStore operation
if necessary, and then use CloudHSM key store
During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster
that is associated with the custom key store, creates the connection infrastructure,
connects to the cluster, logs into the CloudHSM client as the
To connect an CloudHSM key store, its associated CloudHSM cluster must have at least
one active HSM. To get the number of active HSMs in a cluster, use the DescribeClusters
operation. To add HSMs to the cluster, use the CreateHsm
operation. Also, the If you are having trouble connecting or disconnecting a CloudHSM key store, see Troubleshooting an CloudHSM key store in the Key Management Service Developer Guide. External key store When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to communicate with your external key manager by sending a request via the external key store proxy. When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the networking elements that it needs to communicate with your external key manager via the external key store proxy. This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic between KMS and the VPC endpoint service. To connect an external key store, KMS must be able to connect to the external key store proxy, the external key store proxy must be able to communicate with your external key manager, and the external key manager must be available for cryptographic operations. If you are having trouble connecting or disconnecting an external key store, see Troubleshooting an external key store in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: kms:ConnectCustomKeyStore (IAM policy) Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ConnectCustomKeyStoreResponse |
This is the response object from the ConnectCustomKeyStore operation. |
|
CreateAliasRequest |
Container for the parameters to the CreateAlias operation.
Creates a friendly name for a KMS key.
Adding, deleting, or updating an alias can allow or deny permission to the KMS key.
For details, see ABAC
for KMS in the Key Management Service Developer Guide.
You can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation and in cryptographic operations, such as Encrypt and GenerateDataKey. You can also change the KMS key that's associated with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. These operations don't affect the underlying KMS key. You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. You can't create an alias without a KMS key. The alias must be unique in the account and Region, but you can have aliases with the same name in different Regions. For detailed information about aliases, see Using aliases in the Key Management Service Developer Guide. This operation does not return a response. To get the alias that you created, use the ListAliases operation. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account. Required permissions
For details, see Controlling access to aliases in the Key Management Service Developer Guide. Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
CreateAliasResponse |
This is the response object from the CreateAlias operation. |
|
CreateCustomKeyStoreRequest |
Container for the parameters to the CreateCustomKeyStore operation. Creates a custom key store backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an external key store proxy and external key manager outside of Amazon Web Services. This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage. Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see Assemble the prerequisites (for CloudHSM key stores) or Assemble the prerequisites (for external key stores) in the Key Management Service Developer Guide. To create a custom key store, use the following parameters.
For external key stores: Some external key managers provide a simpler method for creating an external key store. For details, see your external key manager documentation.
When creating an external key store in the KMS console, you can upload a JSON-based
proxy configuration file with the desired values. You cannot use a proxy configuration
with the When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your external key manager. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it. For help with failures, see Troubleshooting a custom key store in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: kms:CreateCustomKeyStore (IAM policy). Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
CreateCustomKeyStoreResponse |
This is the response object from the CreateCustomKeyStore operation. |
|
CreateGrantRequest |
Container for the parameters to the CreateGrant operation. Adds a grant to a KMS key. A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic operations. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies. For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants.
The
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation on a KMS key in a different
Amazon Web Services account, specify the key ARN in the value of the Required permissions: kms:CreateGrant (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
CreateGrantResponse |
This is the response object from the CreateGrant operation. |
|
CreateKeyRequest |
Container for the parameters to the CreateKey operation. Creates a unique customer managed KMS key in your Amazon Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your service resources. A KMS key is a logical representation of a cryptographic key. In addition to the key material used in cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, description, and key state. For details, see Managing keys in the Key Management Service Developer Guide
Use the parameters of KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term. To create different types of KMS keys, use the following guidance:
Cross-account use: No. You cannot use this operation to create a KMS key in a different Amazon Web Services account. Required permissions: kms:CreateKey
(IAM policy). To use the Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
CreateKeyResponse |
This is the response object from the CreateKey operation. |
|
CustomKeyStoreHasCMKsException |
The request was rejected because the custom key store contains KMS keys. After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion operation to delete the KMS keys. After they are deleted, you can delete the custom key store. |
|
CustomKeyStoreInvalidStateException |
The request was rejected because of the This exception is thrown under the following conditions:
|
|
CustomKeyStoreNameInUseException |
The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account. |
|
CustomKeyStoreNotFoundException |
The request was rejected because KMS cannot find a custom key store with the specified key store name or ID. |
|
CustomKeyStoresListEntry |
Contains information about each custom key store in the custom key store list. |
|
DecryptRequest |
Container for the parameters to the Decrypt operation. Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
The
If the ciphertext was encrypted under a symmetric encryption KMS key, the
Whenever possible, use key policies to give users permission to call the
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. If you use the Required permissions: kms:Decrypt (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DecryptResponse |
This is the response object from the Decrypt operation. |
|
DeleteAliasRequest |
Container for the parameters to the DeleteAlias operation.
Deletes the specified alias.
Adding, deleting, or updating an alias can allow or deny permission to the KMS key.
For details, see ABAC
for KMS in the Key Management Service Developer Guide.
Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all KMS keys, use the ListAliases operation. Each KMS key can have multiple aliases. To change the alias of a KMS key, use DeleteAlias to delete the current alias and CreateAlias to create a new alias. To associate an existing alias with a different KMS key, call UpdateAlias. Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account. Required permissions
For details, see Controlling access to aliases in the Key Management Service Developer Guide. Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DeleteAliasResponse |
This is the response object from the DeleteAlias operation. |
|
DeleteCustomKeyStoreRequest |
Container for the parameters to the DeleteCustomKeyStore operation. Deletes a custom key store. This operation does not affect any backing elements of the custom key store. It does not delete the CloudHSM cluster that is associated with an CloudHSM key store, or affect any users or keys in the cluster. For an external key store, it does not affect the external key store proxy, external key manager, or any external keys. This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage. The custom key store that you delete cannot contain any KMS keys. Before deleting the key store, verify that you will never need to use any of the KMS keys in the key store for any cryptographic operations. Then, use ScheduleKeyDeletion to delete the KMS keys from the key store. After the required waiting period expires and all KMS keys are deleted from the custom key store, use DisconnectCustomKeyStore to disconnect the key store from KMS. Then, you can delete the custom key store.
For keys in an CloudHSM key store, the Instead of deleting the custom key store, consider using the DisconnectCustomKeyStore operation to disconnect the custom key store from its backing key store. While the key store is disconnected, you cannot create or use the KMS keys in the key store. But, you do not need to delete KMS keys and you can reconnect a disconnected custom key store at any time. If the operation succeeds, it returns a JSON object with no properties. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: kms:DeleteCustomKeyStore (IAM policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DeleteCustomKeyStoreResponse |
This is the response object from the DeleteCustomKeyStore operation. |
|
DeleteImportedKeyMaterialRequest |
Container for the parameters to the DeleteImportedKeyMaterial operation. Deletes key material that was previously imported. This operation makes the specified KMS key temporarily unusable. To restore the usability of the KMS key, reimport the same key material. For more information about importing key material into KMS, see Importing Key Material in the Key Management Service Developer Guide.
When the specified KMS key is in the The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:DeleteImportedKeyMaterial (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DeleteImportedKeyMaterialResponse |
This is the response object from the DeleteImportedKeyMaterial operation. |
|
DependencyTimeoutException |
The system timed out while trying to fulfill the request. You can retry the request. |
|
DeriveSharedSecretRequest |
Container for the parameters to the DeriveSharedSecret operation.
Derives a shared secret using a key agreement algorithm.
You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China Regions
only) KMS key pair with a DeriveSharedSecret uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive (ECDH) to establish a key agreement between two peers by deriving a shared secret from their elliptic curve public-private key pairs. You can use the raw shared secret that DeriveSharedSecret returns to derive a symmetric key that can encrypt and decrypt data that is sent between the two peers, or that can generate and verify HMACs. KMS recommends that you follow NIST recommendations for key derivation when using the raw shared secret to derive a symmetric key. The following workflow demonstrates how to establish key agreement over an insecure communication channel using DeriveSharedSecret.
To derive a shared secret you must provide a key agreement algorithm, the private key of the caller's asymmetric NIST-recommended elliptic curve or SM2 (China Regions only) KMS key pair, and the public key from your peer's NIST-recommended elliptic curve or SM2 (China Regions only) key pair. The public key can be from another asymmetric KMS key pair or from a key pair generated outside of KMS, but both key pairs must be on the same elliptic curve. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:DeriveSharedSecret (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DeriveSharedSecretResponse |
This is the response object from the DeriveSharedSecret operation. |
|
DescribeCustomKeyStoresRequest |
Container for the parameters to the DescribeCustomKeyStores operation. Gets information about custom key stores in the account and Region. This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.
By default, this operation returns information about all custom key stores in the
account and Region. To get only information about a particular custom key store, use
either the
To determine whether the custom key store is connected to its CloudHSM cluster or
external key store proxy, use the
Custom key stores have a For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key stores. For help repairing your external key store, see the Troubleshooting external key stores. Both topics are in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: kms:DescribeCustomKeyStores (IAM policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DescribeCustomKeyStoresResponse |
This is the response object from the DescribeCustomKeyStores operation. |
|
DescribeKeyRequest |
Container for the parameters to the DescribeKey operation.
Provides detailed information about a KMS key. You can run
This detailed information includes the key ARN, creation date (and deletion date,
if applicable), the key state, and the origin and expiration date (if any) of the
key material. It includes fields, like
For multi-Region
keys,
In general, Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:DescribeKey (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DescribeKeyResponse |
This is the response object from the DescribeKey operation. |
|
DisabledException |
The request was rejected because the specified KMS key is not enabled. |
|
DisableKeyRequest |
Container for the parameters to the DisableKey operation. Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for cryptographic operations. For more information about how key state affects the use of a KMS key, see Key states of KMS keys in the Key Management Service Developer Guide. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:DisableKey (key policy) Related operations: EnableKey Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DisableKeyResponse |
This is the response object from the DisableKey operation. |
|
DisableKeyRotationRequest |
Container for the parameters to the DisableKeyRotation operation. Disables automatic rotation of the key material of the specified symmetric encryption KMS key. Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key. You can enable (EnableKeyRotation) and disable automatic rotation of the key material in customer managed KMS keys. Key material rotation of Amazon Web Services managed KMS keys is not configurable. KMS always rotates the key material for every year. Rotation of Amazon Web Services owned KMS keys varies. In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see EnableKeyRotation. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:DisableKeyRotation (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DisableKeyRotationResponse |
This is the response object from the DisableKeyRotation operation. |
|
DisconnectCustomKeyStoreRequest |
Container for the parameters to the DisconnectCustomKeyStore operation. Disconnects the custom key store from its backing key store. This operation disconnects an CloudHSM key store from its associated CloudHSM cluster or disconnects an external key store from the external key store proxy that communicates with your external key manager. This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage. While a custom key store is disconnected, you can manage the custom key store and its KMS keys, but you cannot create or use its KMS keys. You can reconnect the custom key store at any time. While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
When you disconnect a custom key store, its If the operation succeeds, it returns a JSON object with no properties. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: kms:DisconnectCustomKeyStore (IAM policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
DisconnectCustomKeyStoreResponse |
This is the response object from the DisconnectCustomKeyStore operation. |
|
DryRunOperationException |
The request was rejected because the DryRun parameter was specified. |
|
EnableKeyRequest |
Container for the parameters to the EnableKey operation. Sets the key state of a KMS key to enabled. This allows you to use the KMS key for cryptographic operations. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:EnableKey (key policy) Related operations: DisableKey Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
EnableKeyResponse |
This is the response object from the EnableKey operation. |
|
EnableKeyRotationRequest |
Container for the parameters to the EnableKeyRotation operation. Enables automatic rotation of the key material of the specified symmetric encryption KMS key.
By default, when you enable automatic rotation of a customer
managed KMS key, KMS rotates the key material of the KMS key one year (approximately
365 days) from the enable date and every year thereafter. You can use the optional
You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer managed KMS key, use the DisableKeyRotation operation. You can use the GetKeyRotationStatus operation to identify any in progress rotations. You can use the ListKeyRotations operation to view the details of completed rotations. Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key. You cannot enable or disable automatic rotation of Amazon Web Services managed KMS keys. KMS always rotates the key material of Amazon Web Services managed keys every year. Rotation of Amazon Web Services owned KMS keys is managed by the Amazon Web Services service that owns the key. In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days). New Amazon Web Services managed keys are automatically rotated one year after they are created, and approximately every year thereafter. Existing Amazon Web Services managed keys are automatically rotated one year after their most recent rotation, and every year thereafter. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:EnableKeyRotation (key policy) Related operations:
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
EnableKeyRotationResponse |
This is the response object from the EnableKeyRotation operation. |
|
EncryptRequest |
Container for the parameters to the Encrypt operation.
Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or
asymmetric KMS key with a
You can use this operation to encrypt small amounts of arbitrary data, such as a personal
identifier or database password, or other sensitive information. You don't need to
use the
If you use a symmetric encryption KMS key, you can use an encryption context to add
additional security to your encryption operation. If you specify an If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be compatible with the KMS key spec. When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails. You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields. The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm that you choose.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:Encrypt (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
EncryptResponse |
This is the response object from the Encrypt operation. |
|
ExpiredImportTokenException |
The request was rejected because the specified import token is expired. Use GetParametersForImport to get a new import token and public key, use the new public key to encrypt the key material, and then try the request again. |
|
GenerateDataKeyPairRequest |
Container for the parameters to the GenerateDataKeyPair operation. Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes in the keys are random; they are not related to the caller or to the KMS key that is used to encrypt the private key.
You can use the public key that To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
Use the
If you are using the data key pair to encrypt data, or for any operation where you
don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext
operation.
You can use an optional encryption context to add additional security to the encryption
operation. If you specify an The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:GenerateDataKeyPair (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GenerateDataKeyPairResponse |
This is the response object from the GenerateDataKeyPair operation. |
|
GenerateDataKeyPairWithoutPlaintextRequest |
Container for the parameters to the GenerateDataKeyPairWithoutPlaintext operation. Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key. The bytes in the keys are random; they are not related to the caller or to the KMS key that is used to encrypt the private key.
You can use the public key that To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
Use the
You can use an optional encryption context to add additional security to the encryption
operation. If you specify an The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GenerateDataKeyPairWithoutPlaintextResponse |
This is the response object from the GenerateDataKeyPairWithoutPlaintext operation. |
|
GenerateDataKeyRequest |
Container for the parameters to the GenerateDataKey operation. Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted data key with the encrypted data. To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the DescribeKey operation.
You must also specify the length of the data key. Use either the
To generate a 128-bit SM4 data key (China Regions only), specify a To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random byte string, use GenerateRandom.
You can use an optional encryption context to add additional security to the encryption
operation. If you specify an
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. How to use your data key We recommend that you use the following pattern to encrypt data locally in your application. You can write your own code or use a client-side encryption library, such as the Amazon Web Services Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you. To encrypt data outside of KMS:
To decrypt data outside of KMS:
Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:GenerateDataKey (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GenerateDataKeyResponse |
This is the response object from the GenerateDataKey operation. |
|
GenerateDataKeyWithoutPlaintextRequest |
Container for the parameters to the GenerateDataKeyWithoutPlaintext operation. Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to the caller or to the KMS key.
This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key. It's also useful in distributed systems with different levels of trust. For example, you might store encrypted data in containers. One component of your system creates new containers and stores an encrypted data key with each container. Then, a different component puts the data into the containers. That component first decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then destroys the plaintext data key. In this system, the component that creates the containers never sees the plaintext data key. To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations. To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of your KMS key, use the DescribeKey operation.
You must also specify the length of the data key. Use either the
To generate an SM4 data key (China Regions only), specify a
If the operation succeeds, you will find the encrypted copy of the data key in the
You can use an optional encryption context to add additional security to the encryption
operation. If you specify an The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:GenerateDataKeyWithoutPlaintext (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GenerateDataKeyWithoutPlaintextResponse |
This is the response object from the GenerateDataKeyWithoutPlaintext operation. |
|
GenerateMacRequest |
Container for the parameters to the GenerateMac operation. Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104. You can use value that GenerateMac returns in the VerifyMac operation to demonstrate that the original message has not changed. Also, because a secret key is used to create the hash, you can verify that the party that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS in the Key Management Service Developer Guide. Best practices recommend that you limit the time during which any signing mechanism, including an HMAC, is effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. HMAC tags do not include a timestamp, but you can include a timestamp in the token or message to help you detect when its time to refresh the HMAC. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:GenerateMac (key policy) Related operations: VerifyMac Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GenerateMacResponse |
This is the response object from the GenerateMac operation. |
|
GenerateRandomRequest |
Container for the parameters to the GenerateRandom operation. Returns a random byte string that is cryptographically secure.
You must use the
By default, the random byte string is generated in KMS. To generate the byte string
in the CloudHSM cluster associated with an CloudHSM key store, use the
For more information about entropy and random number generation, see Key Management Service Cryptographic Details. Cross-account use: Not applicable. Required permissions: kms:GenerateRandom (IAM policy) Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GenerateRandomResponse |
This is the response object from the GenerateRandom operation. |
|
GetKeyPolicyRequest |
Container for the parameters to the GetKeyPolicy operation. Gets a key policy attached to the specified KMS key. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:GetKeyPolicy (key policy) Related operations: PutKeyPolicy Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GetKeyPolicyResponse |
This is the response object from the GetKeyPolicy operation. |
|
GetKeyRotationStatusRequest |
Container for the parameters to the GetKeyRotationStatus operation. Provides detailed information about the rotation status for a KMS key, including whether automatic rotation of the key material is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date. Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key..
You can enable (EnableKeyRotation) and disable automatic rotation (DisableKeyRotation)
of the key material in customer managed KMS keys. Key material rotation of Amazon
Web Services managed KMS keys is not configurable. KMS always rotates the key
material in Amazon Web Services managed KMS keys every year. The key rotation status
for Amazon Web Services managed KMS keys is always You can perform on-demand (RotateKeyOnDemand) rotation of the key material in customer managed KMS keys, regardless of whether or not automatic key rotation is enabled. You can use GetKeyRotationStatus to identify the date and time that an in progress on-demand rotation was initiated. You can use ListKeyRotations to view the details of completed rotations. In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see EnableKeyRotation. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation on a KMS key in a different
Amazon Web Services account, specify the key ARN in the value of the Required permissions: kms:GetKeyRotationStatus (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GetKeyRotationStatusResponse |
This is the response object from the GetKeyRotationStatus operation. |
|
GetParametersForImportRequest |
Container for the parameters to the GetParametersForImport operation. Returns the public key and an import token you need to import or reimport key material for a KMS key. By default, KMS keys are created with key material that KMS generates. This operation supports Importing key material, an advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more information about importing key material into KMS, see Importing key material in the Key Management Service Developer Guide.
Before calling
The public key and its import token are permanently linked and must be used together.
Each public key and import token set is valid for 24 hours. The expiration date and
time appear in the
You can use the same or a different public key spec and wrapping algorithm each time you import or reimport the same key material. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:GetParametersForImport (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GetParametersForImportResponse |
This is the response object from the GetParametersForImport operation. |
|
GetPublicKeyRequest |
Container for the parameters to the GetPublicKey operation.
Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric
KMS key, which never leaves KMS unencrypted, callers with You do not need to download the public key. Instead, you can use the public key within KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are not effective outside of KMS.
To help you use the public key safely outside of KMS,
Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this information to prevent the public key from being used improperly. For example, you can prevent a public signing key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification operation.
To verify a signature outside of KMS with an SM2 public key (China Regions only),
you must specify the distinguishing ID. By default, KMS uses The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:GetPublicKey (key policy) Related operations: CreateKey Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
GetPublicKeyResponse |
This is the response object from the GetPublicKey operation. |
|
GrantConstraints |
Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context. KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric KMS key. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKey or RetireGrant. In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary. However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.
To avoid confusion, do not use multiple encryption context pairs that differ only
by case. To require a fully case-sensitive encryption context, use the |
|
GrantListEntry |
Contains information about a grant. |
|
ImportKeyMaterialRequest |
Container for the parameters to the ImportKeyMaterial operation.
Imports or reimports key material into an existing KMS key that was created without
key material. By default, KMS keys are created with key material that KMS generates. This operation supports Importing key material, an advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more information about importing key material into KMS, see Importing key material in the Key Management Service Developer Guide. After you successfully import key material into a KMS key, you can reimport the same key material into that KMS key, but you cannot import different key material. You might reimport key material to replace key material that expired or key material that you deleted. You might also reimport key material to change the expiration model or expiration date of the key material.
Each time you import key material into KMS, you can determine whether (
Before calling
Then, in an
When this operation is successful, the key state of the KMS key changes from If this operation fails, use the exception to help determine the problem. If the error is related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the KMS key and repeat the import procedure. For help, see How To Import Key Material in the Key Management Service Developer Guide. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:ImportKeyMaterial (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ImportKeyMaterialResponse |
This is the response object from the ImportKeyMaterial operation. |
|
IncorrectKeyException |
The request was rejected because the specified KMS key cannot decrypt the data. The
|
|
IncorrectKeyMaterialException |
The request was rejected because the key material in the request is, expired, invalid, or is not the same key material that was previously imported into this KMS key. |
|
IncorrectTrustAnchorException |
The request was rejected because the trust anchor certificate in the request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster.
When you initialize
the CloudHSM cluster, you create the trust anchor certificate and save it in the
|
|
InvalidAliasNameException |
The request was rejected because the specified alias name is not valid. |
|
InvalidArnException |
The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. |
|
InvalidCiphertextException |
From the Decrypt or ReEncrypt operation, the request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid. From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the encrypted (wrapped) key material. |
|
InvalidGrantIdException |
The request was rejected because the specified |
|
InvalidGrantTokenException |
The request was rejected because the specified grant token is not valid. |
|
InvalidImportTokenException |
The request was rejected because the provided import token is invalid or is associated with a different KMS key. |
|
InvalidKeyUsageException |
The request was rejected for one of the following reasons:
For encrypting, decrypting, re-encrypting, and generating data keys, the To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation. |
|
InvalidMarkerException |
The request was rejected because the marker that specifies where pagination should next begin is not valid. |
|
KeyListEntry |
Contains information about each entry in the key list. |
|
KeyManagementServicePaginatorFactory |
Paginators for the KeyManagementService service |
|
KeyMetadata |
Contains metadata about a KMS key. This data type is used as a response element for the CreateKey, DescribeKey, and ReplicateKey operations. |
|
KeyUnavailableException |
The request was rejected because the specified KMS key was not available. You can retry the request. |
|
KMSInternalException |
The request was rejected because an internal exception occurred. The request can be retried. |
|
KMSInvalidMacException |
The request was rejected because the HMAC verification failed. HMAC verification fails when the HMAC computed by using the specified message, HMAC KMS key, and MAC algorithm does not match the HMAC specified in the request. |
|
KMSInvalidSignatureException |
The request was rejected because the signature verification failed. Signature verification fails when it cannot confirm that signature was produced by signing the specified message with the specified KMS key and signing algorithm. |
|
KMSInvalidStateException |
The request was rejected because the state of the specified resource is not valid for this request. This exceptions means one of the following:
|
|
LimitExceededException |
The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide. |
|
ListAliasesRequest |
Container for the parameters to the ListAliases operation. Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about aliases, see CreateAlias.
By default, the
The
The response might also include aliases that have no Cross-account use: No. Required permissions: kms:ListAliases (IAM policy) For details, see Controlling access to aliases in the Key Management Service Developer Guide. Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListAliasesResponse |
This is the response object from the ListAliases operation. |
|
ListGrantsRequest |
Container for the parameters to the ListGrants operation. Gets a list of all grants for the specified KMS key. You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal. For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants.
The Cross-account use: Yes. To perform this operation on a KMS key in a different
Amazon Web Services account, specify the key ARN in the value of the Required permissions: kms:ListGrants (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListGrantsResponse |
This is the response object from the ListGrants operation. |
|
ListKeyPoliciesRequest |
Container for the parameters to the ListKeyPolicies operation.
Gets the names of the key policies that are attached to a KMS key. This operation
is designed to get policy names that you can use in a GetKeyPolicy operation.
However, the only valid policy name is Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:ListKeyPolicies (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListKeyPoliciesResponse |
This is the response object from the ListKeyPolicies operation. |
|
ListKeyRotationsRequest |
Container for the parameters to the ListKeyRotations operation. Returns information about all completed key material rotations for the specified KMS key. You must specify the KMS key in all requests. You can refine the key rotations list by limiting the number of rotations returned. For detailed information about automatic and on-demand key rotations, see Rotating KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:ListKeyRotations (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListKeyRotationsResponse |
This is the response object from the ListKeyRotations operation. |
|
ListKeysRequest |
Container for the parameters to the ListKeys operation. Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:ListKeys (IAM policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListKeysResponse |
This is the response object from the ListKeys operation. |
|
ListResourceTagsRequest |
Container for the parameters to the ListResourceTags operation. Returns all tags on the specified KMS key. For general information about tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference. For information about using tags in KMS, see Tagging keys. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:ListResourceTags (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListResourceTagsResponse |
This is the response object from the ListResourceTags operation. |
|
ListRetirableGrantsRequest |
Container for the parameters to the ListRetirableGrants operation. Returns information about all grants in the Amazon Web Services account and Region that have the specified retiring principal. You can specify any principal in your Amazon Web Services account. The grants that are returned include grants for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this operation to determine which grants you may retire. To retire a grant, use the RetireGrant operation. For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants. Cross-account use: You must specify a principal in your Amazon Web Services
account. This operation returns a list of grants where the retiring principal specified
in the Required permissions: kms:ListRetirableGrants (IAM policy) in your Amazon Web Services account.
KMS authorizes Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ListRetirableGrantsResponse |
This is the response object from the ListRetirableGrants operation. |
|
MalformedPolicyDocumentException |
The request was rejected because the specified policy is not syntactically or semantically correct. |
|
MultiRegionConfiguration |
Describes the configuration of this multi-Region key. This field appears only when the KMS key is a primary or replica of a multi-Region key. For more information about any listed KMS key, use the DescribeKey operation. |
|
MultiRegionKey |
Describes the primary or replica key in a multi-Region key. |
|
NotFoundException |
The request was rejected because the specified entity or resource could not be found. |
|
PutKeyPolicyRequest |
Container for the parameters to the PutKeyPolicy operation. Attaches a key policy to the specified KMS key. For more information about key policies, see Key Policies in the Key Management Service Developer Guide. For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the Identity and Access Management User Guide. For examples of adding a key policy in multiple programming languages, see Setting a key policy in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:PutKeyPolicy (key policy) Related operations: GetKeyPolicy Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
PutKeyPolicyResponse |
This is the response object from the PutKeyPolicy operation. |
|
RecipientInfo |
Contains information about the party that receives the response from the API operation. This data type is designed to support Amazon Web Services Nitro Enclaves, which lets you create an isolated compute environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide. |
|
ReEncryptRequest |
Container for the parameters to the ReEncrypt operation. Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key under which data is encrypted, such as when you manually rotate a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt ciphertext under the same KMS key, such as to change the encryption context of a ciphertext.
The
When you use the
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a different account, you must use its key ARN or alias ARN. Required permissions:
To permit reencryption from or to a KMS key, include the Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ReEncryptResponse |
This is the response object from the ReEncrypt operation. |
|
ReplicateKeyRequest |
Container for the parameters to the ReplicateKey operation. Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, use the CreateKey operation. This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide. A replica key is a fully-functional KMS key that can be used independently of its primary and peer replica keys. A primary key and its replica keys share properties that make them interoperable. They have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. KMS automatically synchronizes these shared properties among related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each primary key and replica key.
When this operation completes, the new replica key has a transient key state of
You cannot create more than one replica of a primary key in any Region. If the Region
already includes a replica of the key you're trying to replicate,
The CloudTrail log of a If you replicate a multi-Region primary key with imported key material, the replica key is created with no key material. You must import the same key material that you imported into the primary key. For details, see Importing key material into multi-Region keys in the Key Management Service Developer Guide. To convert a replica key to a primary key, use the UpdatePrimaryRegion operation.
Cross-account use: No. You cannot use this operation to create a replica key in a different Amazon Web Services account. Required permissions:
Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ReplicateKeyResponse |
This is the response object from the ReplicateKey operation. |
|
RetireGrantRequest |
Container for the parameters to the RetireGrant operation. Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.
This operation can be called by the retiring principal for a grant, by the
grantee principal if the grant allows the For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants. Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. Required permissions: Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide. Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
RetireGrantResponse |
This is the response object from the RetireGrant operation. |
|
RevokeGrantRequest |
Container for the parameters to the RevokeGrant operation. Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more information, see Retiring and revoking grants in the Key Management Service Developer Guide. When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. For details, see Eventual consistency in the Key Management Service Developer Guide. For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants. Cross-account use: Yes. To perform this operation on a KMS key in a different
Amazon Web Services account, specify the key ARN in the value of the Required permissions: kms:RevokeGrant (key policy). Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
RevokeGrantResponse |
This is the response object from the RevokeGrant operation. |
|
RotateKeyOnDemandRequest |
Container for the parameters to the RotateKeyOnDemand operation. Immediately initiates rotation of the key material of the specified symmetric encryption KMS key. You can perform on-demand rotation of the key material in customer managed KMS keys, regardless of whether or not automatic key rotation is enabled. On-demand rotations do not change existing automatic rotation schedules. For example, consider a KMS key that has automatic key rotation enabled with a rotation period of 730 days. If the key is scheduled to automatically rotate on April 14, 2024, and you perform an on-demand rotation on April 10, 2024, the key will automatically rotate, as scheduled, on April 14, 2024 and every 730 days thereafter. You can perform on-demand key rotation a maximum of 10 times per KMS key. You can use the KMS console to view the number of remaining on-demand rotations available for a KMS key. You can use GetKeyRotationStatus to identify any in progress on-demand rotations. You can use ListKeyRotations to identify the date that completed on-demand rotations were performed. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon CloudWatch. On-demand key rotation is supported only on symmetric encryption KMS keys. You cannot perform on-demand rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To perform on-demand rotation of a set of related multi-Region keys, invoke the on-demand rotation on the primary key. You cannot initiate on-demand rotation of Amazon Web Services managed KMS keys. KMS always rotates the key material of Amazon Web Services managed keys every year. Rotation of Amazon Web Services owned KMS keys is managed by the Amazon Web Services service that owns the key. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:RotateKeyOnDemand (key policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
RotateKeyOnDemandResponse |
This is the response object from the RotateKeyOnDemand operation. |
|
RotationsListEntry |
Contains information about completed key material rotations. |
|
ScheduleKeyDeletionRequest |
Container for the parameters to the ScheduleKeyDeletion operation.
Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30
days, but you can specify a waiting period of 7-30 days. When this operation is successful,
the key state of the KMS key changes to
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS
key is deleted, all data that was encrypted under the KMS key is unrecoverable. (The
only exception is a multi-Region
replica key, or an asymmetric
or HMAC KMS key with imported key material.) To prevent the use of a KMS key without
deleting it, use DisableKey.
You can schedule the deletion of a multi-Region primary key and its replica keys at
any time. However, KMS will not delete a multi-Region primary key with existing replica
keys. If you schedule the deletion of a primary key with replicas, its key state changes
to When KMS deletes a KMS key from an CloudHSM key store, it makes a best effort to delete the associated key material from the associated CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups. Deleting a KMS key from an external key store has no effect on the associated external key. However, for both types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS key with the same key material. For more information about scheduling a KMS key for deletion, see Deleting KMS keys in the Key Management Service Developer Guide. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:ScheduleKeyDeletion (key policy) Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
ScheduleKeyDeletionResponse |
This is the response object from the ScheduleKeyDeletion operation. |
|
SignRequest |
Container for the parameters to the Sign operation. Creates a digital signature for a message or message digest by using the private key in an asymmetric signing KMS key. To verify the signature, use the Verify operation, or use the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide. Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a message. Anyone with the public key can verify that the message was signed with that particular private key and that the message hasn't changed since it was signed.
To use the
When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to verify the signature. Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message to help you detect when its time to refresh the signature. To verify the signature that this operation generates, use the Verify operation. Or use the GetPublicKey operation to download the public key and then use the public key to verify the signature outside of KMS. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:Sign (key policy) Related operations: Verify Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
SignResponse |
This is the response object from the Sign operation. |
|
Tag |
A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag values
are both required, but tag values can be empty (null) strings.
Do not include confidential or sensitive information in this field. This field may
be displayed in plaintext in CloudTrail logs and other output.
For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictions in the Amazon Web Services Billing and Cost Management User Guide. |
|
TagException |
The request was rejected because one or more tags are not valid. |
|
TagResourceRequest |
Container for the parameters to the TagResource operation.
Adds or edits tags on a customer
managed key.
Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details,
see ABAC
for KMS in the Key Management Service Developer Guide.
Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag key and a new tag value. You can use this operation to tag a customer managed key, but you cannot tag an Amazon Web Services managed key, an Amazon Web Services owned key, a custom key store, or an alias. You can also add tags to a KMS key while creating it (CreateKey) or replicating it (ReplicateKey). For information about using tags in KMS, see Tagging keys. For general information about tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:TagResource (key policy) Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
TagResourceResponse |
This is the response object from the TagResource operation. |
|
UnsupportedOperationException |
The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
|
UntagResourceRequest |
Container for the parameters to the UntagResource operation.
Deletes tags from a customer
managed key. To delete a tag, specify the tag key and the KMS key.
Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details,
see ABAC
for KMS in the Key Management Service Developer Guide.
When it succeeds, the For information about using tags in KMS, see Tagging keys. For general information about tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:UntagResource (key policy) Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
UntagResourceResponse |
This is the response object from the UntagResource operation. |
|
UpdateAliasRequest |
Container for the parameters to the UpdateAlias operation.
Associates an existing KMS alias with a different KMS key. Each alias is associated
with only one KMS key at a time, although a KMS key can have multiple aliases. The
alias and the KMS key must be in the same Amazon Web Services account and Region.
Adding, deleting, or updating an alias can allow or deny permission to the KMS key.
For details, see ABAC
for KMS in the Key Management Service Developer Guide.
The current and new KMS key must be the same type (both symmetric or both asymmetric or both HMAC), and they must have the same key usage. This restriction prevents errors in code that uses aliases. If you must assign an alias to a different type of KMS key, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
You cannot use Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all KMS keys in the account, use the ListAliases operation. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions
For details, see Controlling access to aliases in the Key Management Service Developer Guide. Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
UpdateAliasResponse |
This is the response object from the UpdateAlias operation. |
|
UpdateCustomKeyStoreRequest |
Container for the parameters to the UpdateCustomKeyStore operation. Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM key store or an external key store.
Use the required This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage. When updating the properties of an external key store, verify that the updated settings connect your key store, via the external key store proxy, to the same external key manager as the previous settings, or to a backup or snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable. For external key stores: Some external key managers provide a simpler method for updating an external key store. For details, see your external key manager documentation.
When updating an external key store in the KMS console, you can upload a JSON-based
proxy configuration file with the desired values. You cannot upload the proxy configuration
file to the
For an CloudHSM key store, you can use this operation to change the custom key store
friendly name (
For an external key store, you can use this operation to change the custom key store
friendly name (
If your update requires a
Before updating the custom key store, verify that the new values allow KMS to connect
the custom key store to its backing key store. For example, before you change the
If the operation succeeds, it returns a JSON object with no properties. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: kms:UpdateCustomKeyStore (IAM policy) Related operations: Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
UpdateCustomKeyStoreResponse |
This is the response object from the UpdateCustomKeyStore operation. |
|
UpdateKeyDescriptionRequest |
Container for the parameters to the UpdateKeyDescription operation. Updates the description of a KMS key. To see the description of a KMS key, use DescribeKey. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: kms:UpdateKeyDescription (key policy) Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
UpdateKeyDescriptionResponse |
This is the response object from the UpdateKeyDescription operation. |
|
UpdatePrimaryRegionRequest |
Container for the parameters to the UpdatePrimaryRegion operation. Changes the primary key of a multi-Region key.
This operation changes the replica key in the specified Region to a primary key and
changes the former primary key to a replica key. For example, suppose you have a primary
key in This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide. The primary key of a multi-Region key is the source for properties that are always shared by primary and replica keys, including the key material, key ID, key spec, key usage, key material origin, and automatic key rotation. It's the only key that can be replicated. You cannot delete the primary key until all replica keys are deleted. The key ID and primary Region that you specify uniquely identify the replica key that will become the primary key. The primary Region must already have a replica key. This operation does not create a KMS key in the specified Region. To find the replica keys, use the DescribeKey operation on the primary key or any replica key. To create a replica key, use the ReplicateKey operation. You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation should not delay, interrupt, or cause failures in cryptographic operations.
Even after this operation completes, the process of updating the primary Region might
still be in progress for a few more seconds. Operations such as This operation does not return any output. To verify that primary key is changed, use the DescribeKey operation. Cross-account use: No. You cannot use this operation in a different Amazon Web Services account. Required permissions:
Related operations Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
UpdatePrimaryRegionResponse |
This is the response object from the UpdatePrimaryRegion operation. |
|
VerifyMacRequest |
Container for the parameters to the VerifyMac operation.
Verifies the hash-based message authentication code (HMAC) for a specified message,
HMAC KMS key, and MAC algorithm. To verify the HMAC, HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104. This operation is part of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS in the Key Management Service Developer Guide. The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:VerifyMac (key policy) Related operations: GenerateMac Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
VerifyMacResponse |
This is the response object from the VerifyMac operation. |
|
VerifyRequest |
Container for the parameters to the Verify operation. Verifies a digital signature that was generated by the Sign operation.
Verification confirms that an authorized user signed the message with the specified
KMS key and signing algorithm, and the message hasn't changed since it was signed.
If the signature is verified, the value of the A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
To use the
You can also verify the digital signature by using the public key of the KMS key outside
of KMS. Use the GetPublicKey operation to download the public key in the asymmetric
KMS key and then use the public key to verify the signature outside of KMS. The advantage
of using the
To verify a signature outside of KMS with an SM2 public key (China Regions only),
you must specify the distinguishing ID. By default, KMS uses The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
Required permissions: kms:Verify (key policy) Related operations: Sign Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency. |
|
VerifyResponse |
This is the response object from the Verify operation. |
|
XksKeyAlreadyInUseException |
The request was rejected because the ( |
|
XksKeyConfigurationType |
Information about the external key that is associated with a KMS key in an external key store. This element appears in a CreateKey or DescribeKey response only for a KMS key in an external key store. The external key is a symmetric encryption key that is hosted by an external key manager outside of Amazon Web Services. When you use the KMS key in an external key store in a cryptographic operation, the cryptographic operation is performed in the external key manager using the specified external key. For more information, see External key in the Key Management Service Developer Guide. |
|
XksKeyInvalidConfigurationException |
The request was rejected because the external key specified by the The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. |
|
XksKeyNotFoundException |
The request was rejected because the external key store proxy could not find the external
key. This exception is thrown when the value of the
Verify that the |
|
XksProxyAuthenticationCredentialType |
KMS uses the authentication credential to sign requests that it sends to the external key store proxy (XKS proxy) on your behalf. You establish these credentials on your external key store proxy and report them to KMS.
The |
|
XksProxyConfigurationType |
Detailed information about the external key store proxy (XKS proxy). Your external
key store proxy translates KMS requests into a format that your external key manager
can understand. These fields appear in a DescribeCustomKeyStores response only
when the |
|
XksProxyIncorrectAuthenticationCredentialException |
The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy. |
|
XksProxyInvalidConfigurationException |
The request was rejected because the external key store proxy is not configured correctly. To identify the cause, see the error message that accompanies the exception. |
|
XksProxyInvalidResponseException |
KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor. |
|
XksProxyUriEndpointInUseException |
The request was rejected because the |
|
XksProxyUriInUseException |
The request was rejected because the concatenation of the |
|
XksProxyUriUnreachableException |
KMS was unable to reach the specified
This exception is also thrown when the external key store proxy response to a |
|
XksProxyVpcEndpointServiceInUseException |
The request was rejected because the specified Amazon VPC endpoint service is already associated with another external key store in this Amazon Web Services Region. Each external key store in a Region must use a different Amazon VPC endpoint service. |
|
XksProxyVpcEndpointServiceInvalidConfigurationException |
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store. To identify the cause, see the error message that accompanies the exception and review the requirements for Amazon VPC endpoint service connectivity for an external key store. |
|
XksProxyVpcEndpointServiceNotFoundException |
The request was rejected because KMS could not find the specified VPC endpoint service.
Use DescribeCustomKeyStores to verify the VPC endpoint service name for the
external key store. Also, confirm that the |
Name | Description | |
---|---|---|
IDescribeCustomKeyStoresPaginator |
Paginator for the DescribeCustomKeyStores operation |
|
IKeyManagementServicePaginatorFactory |
Paginators for the KeyManagementService service |
|
IListAliasesPaginator |
Paginator for the ListAliases operation |
|
IListGrantsPaginator |
Paginator for the ListGrants operation |
|
IListKeyPoliciesPaginator |
Paginator for the ListKeyPolicies operation |
|
IListKeyRotationsPaginator |
Paginator for the ListKeyRotations operation |
|
IListKeysPaginator |
Paginator for the ListKeys operation |
|
IListResourceTagsPaginator |
Paginator for the ListResourceTags operation |
|
IListRetirableGrantsPaginator |
Paginator for the ListRetirableGrants operation |