class Aws::KMS::Types::GrantConstraints

@see docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@return [Hash<String,String>]<br>: docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations<br><br><br><br>same as the encryption context specified in this constraint.
operation only when the encryption context in the request is the
the [cryptographic operation] request. The grant allows the
A list of key-value pairs that must match the encryption context in
@!attribute [rw] encryption_context_equals
@return [Hash<String,String>]<br>: docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations<br><br><br><br>constraint, although it can include additional key-value pairs.
in the request includes the key-value pairs specified in this
allows the cryptographic operation only when the encryption context
context of the [cryptographic operation] request. The grant
A list of key-value pairs that must be included in the encryption
@!attribute [rw] encryption_context_subset<br><br>: docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context<br>[2]: docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html<br>[1]: docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations<br><br><br><br>Management Service Developer Guide</i> </i>.
details, see [kms:EncryptionContext:context-key] in the <i> <i>Key
`kms:EncryptionContextKeys` conditions in an IAM or key policy. For
context, use the ‘kms:EncryptionContext:` and
differ only by case. To require a fully case-sensitive encryption
To avoid confusion, do not use multiple encryption context pairs that
case sensitive, but the value is case sensitive.
However, in a grant constraint, the key in each key-value pair is not
order of the pairs can vary.
values in the encryption context of the encryption operation. Only the
operation must be an exact, case-sensitive match for the keys and
In a cryptographic operation, the encryption context in the decryption
operations, such as DescribeKey or RetireGrant.
cryptographic operations with asymmetric KMS keys and management
to operations that do not support an encryption context, such as
operations with a symmetric KMS key. Grant constraints are not applied
that support an encryption context, that is, all cryptographic
KMS applies the grant constraints only to cryptographic operations<br><br>context].
only when the operation request includes the specified [encryption
Use this structure to allow [cryptographic operations] in the grant

Namespace

Aws::KMS::Types

Included Modules

Aws::KMS::Types::GrantConstraints::Aws::Structure

Defined in

lib/aws-sdk-kms/types.rb