class Aws::KMS::Types::CreateKeyRequest

@see docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
@return [String] : docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption [4]: docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html#xks-key-requirements [3]: docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy [2]: docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html [1]: docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key encryption][5] in the *Key Management Service Developer Guide*.
known as *double encryption*. For details, see [Double
the external key manager using the specified external key, a process
is performed first by KMS using the KMS key material, and then by
in an external key store to encrypt data, the encryption operation
external key specified by this parameter. When you use the KMS key
keys. One is key material that KMS generates. The other is the
Each KMS key in an external key store is associated two backing
*Key Management Service Developer Guide*.
see [Requirements for a KMS key in an external key store] in the
external key store must use a different external key. For details,
configured to perform encryption and decryption. Each KMS key in an
`CustomKeyStoreId` parameter. This key must be enabled and
key manager associated with the external key store specified by the
encryption key hosted outside of Amazon Web Services in an external
The external key must be an existing 256-bit AES symmetric
`Origin` value.
‘EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
This parameter is required for a KMS key with an `Origin` value of
help, see the documentation for your external key store proxy.
[external key store proxy] uses to refer to the external key. For
KMS key in an [external key store]. Specify the ID that the
Identifies the [external key] that serves as key material for the
@!attribute [rw] xks_key_id
@return [Boolean] : docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html you cannot create a multi-Region key in a custom key store.
can create a multi-Region key with imported key material. However,
You can create a symmetric or asymmetric multi-Region key, and you
*replica key*, use the ReplicateKey operation.
This value creates a *primary key*, not a replica. To create a
Management Service Developer Guide*.
multi-Region keys, see [Multi-Region keys in KMS] in the *Key
data or making a cross-Region call. For more information about
a different Amazon Web Services Region without re-encrypting the
to encrypt data in one Amazon Web Services Region and decrypt it in
key material, and other metadata, you can use them interchangeably
Web Services Regions. Because these KMS keys have the same key ID,
lets you create multiple interoperable KMS keys in different Amazon
This operation supports *multi-Region keys*, an KMS feature that
default value is `False`.
single-Region KMS key, omit this parameter or set it to `False`. The
For a multi-Region key, set this parameter to `True`. For a
create the KMS key.
Amazon Web Services Regions. You cannot change this value after you
Creates a multi-Region primary key that you can replicate into other
@!attribute [rw] multi_region
@return [Array<Types::Tag>] : docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html [2]: docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html [1]: docs.aws.amazon.com/kms/latest/developerguide/abac.html key. For details, see [Tags in KMS].
aggregated by tags. Tags can also be used to control access to a KMS
Services generates a cost allocation report with usage and costs
When you add tags to an Amazon Web Services resource, Amazon Web
value, KMS replaces the current tag value with the specified one.
tag key. If you specify an existing tag key with a different tag
string. You cannot have more than one tag on a KMS key with the same
the tag value are required, but the tag value can be an empty (null)
Each tag consists of a tag key and a tag value. Both the tag key and
in an IAM policy.
To use this parameter, you must have [kms:TagResource] permission
</note>
Service Developer Guide*.
KMS key. For details, see [ABAC for KMS] in the *Key Management
<note markdown=“1”> Tagging or untagging a KMS key can allow or deny permission to the
other output.
This field may be displayed in plaintext in CloudTrail logs and
Do not include confidential or sensitive information in this field.
TagResource operation.
the KMS key when it is created. To tag an existing KMS key, use the
Assigns one or more tags to the KMS key. Use this parameter to tag
@!attribute [rw] tags
@return [Boolean] : docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html [1]: docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key [PutKeyPolicy][2] request on the KMS key.
that is making the request from making a subsequent
Use this parameter only when you intend to prevent the principal
Management Service Developer Guide*.
For more information, see [Default key policy] in the *Key
indiscriminately.
becomes unmanageable. Do not set this value to true
Setting this value to true increases the risk that the KMS key
default value is false.
Skips (“bypasses”) the key policy lockout safety check. The
@!attribute [rw] bypass_policy_lockout_safety_check
@return [String] : docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html key.
to specify an external key that serves as key material for the KMS
key in an external key store, you must use the `XksKeyId` parameter
cluster and associates it with the KMS key. When you create a KMS
non-exportable 256-bit symmetric key in its associated CloudHSM
When you create a KMS key in an CloudHSM key store, KMS generates a
custom key store.
single Region. You cannot create any other type of KMS key in a
This parameter is valid only for symmetric encryption KMS keys in a
DescribeCustomKeyStores operation.
find the CustomKeyStoreID and ConnectionState use the
`ConnectionState` of the custom key store must be `CONNECTED`. To
Creates the KMS key in the specified [custom key store]. The
@!attribute [rw] custom_key_store_id
@return [String] : docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html [3]: docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html [2]: docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html [1]: docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html value must be `SYMMETRIC_DEFAULT`.
parameter to identify the associated external key. The `KeySpec`
parameter to identify the external key store and the `XksKeyId`
`EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
To [create a KMS key in an external key store], set this value to
`SYMMETRIC_DEFAULT`.
to identify the CloudHSM key store. The `KeySpec` value must be
`AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
material in the associated CloudHSM cluster, set this value to
To [create a KMS key in an CloudHSM key store] and create its key
value is valid only for symmetric KMS keys.
the *Key Management Service Developer Guide*. The `EXTERNAL` origin
importing key material into KMS, see [Importing Key Material] in
material), set this value to `EXTERNAL`. For more information about
To [create a KMS key with no key material] (for imported key
which means that KMS creates the key material.
the origin after you create the KMS key. The default is `AWS_KMS`,
The source of the key material for the KMS key. You cannot change
@!attribute [rw] origin
@return [String] : aws.amazon.com/kms/features/#AWS_Service_Integration [5]: docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm [4]: docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm [3]: docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm [2]: docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm [1]: docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html ^
* `SM2` (China Regions only)
verification -or- deriving shared secrets)
* SM2 key pairs (encryption and decryption -or- signing and
* `ML_DSA_87`
* `ML_DSA_65`
* `ML_DSA_44`
* Asymmetric ML-DSA key pairs (signing and verification)
^
cryptocurrencies.
* `ECC_SECG_P256K1` (secp256k1), commonly used for
verification)
* Other asymmetric elliptic curve key pairs (signing and
* `ECC_NIST_P521` (secp521r1)
* `ECC_NIST_P384` (secp384r1)
* `ECC_NIST_P256` (secp256r1)
verification -or- deriving shared secrets)
* Asymmetric NIST-recommended elliptic curve key pairs (signing and
* `RSA_4096`
* `RSA_3072`
* `RSA_2048`
and verification)
* Asymmetric RSA key pairs (encryption and decryption -or- signing
* `HMAC_512`
* `HMAC_384`
* `HMAC_256`
* `HMAC_224`
* HMAC keys (symmetric)
^
* `SYMMETRIC_DEFAULT`
* Symmetric encryption key (default)
KMS supports the following key specs for KMS keys:
do not support asymmetric KMS keys or HMAC KMS keys.
symmetric encryption KMS keys to protect your data. These services
[Amazon Web Services services that are integrated with KMS] use
Developer Guide . [5] in the Key Management Service [kms:MacAlgorithm][3], [kms:KeyAgreementAlgorithm][4], or policy. For more information, see [kms:EncryptionAlgorithm][2], used with the KMS key, use a condition key in its key policy or IAM KMS key is created. To further restrict the algorithms that can be that the KMS key supports. You can’t change the ‘KeySpec` after the key or an asymmetric key pair. It also determines the algorithms The `KeySpec` determines whether the KMS key contains a symmetric Guide .
in the Key Management Service Developer For a detailed description of all supported key specs, see [Key spec where it creates a 128-bit symmetric key that uses SM4 encryption. that is used for encryption and decryption, except in China Regions, `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key Specifies the type of KMS key to create. The default value, @!attribute [rw] key_spec @return [String] supports both parameters. parameter in your code. However, to avoid breaking changes, KMS way. Only the names differ. We recommend that you use `KeySpec` The `KeySpec` and `CustomerMasterKeySpec` parameters work the same Instead, use the `KeySpec` parameter. @!attribute [rw] customer_master_key_spec @return [String] [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`. * For asymmetric KMS keys with SM2 key pairs (China Regions only), `SIGN_VERIFY`. * For asymmetric KMS keys with ML-DSA key pairs, specify `SIGN_VERIFY`. * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`. * For asymmetric KMS keys with NIST-recommended elliptic curve key `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. * For asymmetric KMS keys with RSA key pairs, specify * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`. `ENCRYPT_DECRYPT`. * For symmetric encryption KMS keys, omit the parameter or specify Select only one valid value. after the KMS key is created. otherwise, it is required. You can’t change the ‘KeyUsage` value is optional when you are creating a symmetric encryption KMS key; the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter Determines the [cryptographic operations][1] for which you can use @!attribute [rw] key_usage @return [String] UpdateKeyDescription. To set or change the description after the key is created, use other output. This field may be displayed in plaintext in CloudTrail logs and Do not include confidential or sensitive information in this field. value is an empty string (no description). decide whether the KMS key is appropriate for a task. The default A description of the KMS key. Use a description that helps you @!attribute [rw] description @return [String] [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key Management User Guide .
JSON Policy Reference] in the Identity and Access
For help writing and formatting a JSON policy document, see the [IAM
</note>
`LimitExceededException`.
<note markdown=“1”> If the key policy exceeds the length constraint, KMS returns a policy] in the *Key Management Service Developer Guide*.
policy to the KMS key. For more information, see [Default key
If you do not provide a key policy, KMS attaches a default key
</note>
in a key policy] in the *Key Management Service Developer Guide*.
For more information on required key policy elements, see [Elements
policy statement is ineffective.
`CreateKey` and `PutKeyPolicy` API requests succeed, even though the
elements, the KMS console correctly reports an error, but the
effect. When a key policy statement is missing one of these
missing from a key policy statement, the policy statement has no
<note markdown=“1”> If either of the required `Resource` or `Action` elements are
Web Services Identity and Access Management User Guide*.
that I make are not always immediately visible] in the *Amazon
be immediately visible to KMS. For more information, see [Changes
new principal in a key policy because the new principal might not
principal, you might need to enforce a delay before including the
visible to KMS. When you create a new Amazon Web Services
principals. The principals in the key policy must exist and be
* Each statement in the key policy must contain one or more
`BypassPolicyLockoutSafetyCheck` to true.)
Developer Guide*. (To omit this condition, set
see [Default key policy] in the *Key Management Service
risk that the KMS key becomes unmanageable. For more information,
subsequent `PutKeyPolicy` request on the KMS key. This reduces the
* The key policy must allow the calling principal to make a
If you provide a key policy, it must meet the following criteria:
The key policy to attach to the KMS key.
@!attribute [rw] policy

class Aws::KMS::Types::CreateKeyRequest

Namespace

Included Modules

Defined in