Azure Native v2.73.0, Nov 20 24

This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.

Azure Native v2.73.0 published on Wednesday, Nov 20, 2024 by Pulumi

pulumi/pulumi-azure-native

azure-native.awsconnector.getKmsKey

Explore with Pulumi AI

This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.

Azure Native v2.73.0 published on Wednesday, Nov 20, 2024 by Pulumi

pulumi/pulumi-azure-native

Using getKmsKey

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getKmsKey(args: GetKmsKeyArgs, opts?: InvokeOptions): Promise<GetKmsKeyResult>
function getKmsKeyOutput(args: GetKmsKeyOutputArgs, opts?: InvokeOptions): Output<GetKmsKeyResult>

def get_kms_key(name: Optional[str] = None,
                resource_group_name: Optional[str] = None,
                opts: Optional[InvokeOptions] = None) -> GetKmsKeyResult
def get_kms_key_output(name: Optional[pulumi.Input[str]] = None,
                resource_group_name: Optional[pulumi.Input[str]] = None,
                opts: Optional[InvokeOptions] = None) -> Output[GetKmsKeyResult]

func LookupKmsKey(ctx *Context, args *LookupKmsKeyArgs, opts ...InvokeOption) (*LookupKmsKeyResult, error)
func LookupKmsKeyOutput(ctx *Context, args *LookupKmsKeyOutputArgs, opts ...InvokeOption) LookupKmsKeyResultOutput

> Note: This function is named LookupKmsKey in the Go SDK.

public static class GetKmsKey 
{
    public static Task<GetKmsKeyResult> InvokeAsync(GetKmsKeyArgs args, InvokeOptions? opts = null)
    public static Output<GetKmsKeyResult> Invoke(GetKmsKeyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetKmsKeyResult> getKmsKey(GetKmsKeyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet

fn::invoke:
  function: azure-native:awsconnector:getKmsKey
  arguments:
    # arguments dictionary

The following arguments are supported:

Name string: Name of KmsKey
ResourceGroupName string: The name of the resource group. The name is case insensitive.

Name string: Name of KmsKey
ResourceGroupName string: The name of the resource group. The name is case insensitive.

name String: Name of KmsKey
resourceGroupName String: The name of the resource group. The name is case insensitive.

name string: Name of KmsKey
resourceGroupName string: The name of the resource group. The name is case insensitive.

name str: Name of KmsKey
resource_group_name str: The name of the resource group. The name is case insensitive.

name String: Name of KmsKey
resourceGroupName String: The name of the resource group. The name is case insensitive.

getKmsKey Result

The following output properties are available:

Id string: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
Location string: The geo-location where the resource lives
Name string: The name of the resource
Properties Pulumi.AzureNative.AwsConnector.Outputs.KmsKeyPropertiesResponse: The resource-specific properties for this resource.
SystemData Pulumi.AzureNative.AwsConnector.Outputs.SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Tags Dictionary<string, string>: Resource tags.

Id string: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
Location string: The geo-location where the resource lives
Name string: The name of the resource
Properties KmsKeyPropertiesResponse: The resource-specific properties for this resource.
SystemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Tags map[string]string: Resource tags.

id String: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
location String: The geo-location where the resource lives
name String: The name of the resource
properties KmsKeyPropertiesResponse: The resource-specific properties for this resource.
systemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
tags Map<String,String>: Resource tags.

id string: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
location string: The geo-location where the resource lives
name string: The name of the resource
properties KmsKeyPropertiesResponse: The resource-specific properties for this resource.
systemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
tags {[key: string]: string}: Resource tags.

id str: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
location str: The geo-location where the resource lives
name str: The name of the resource
properties KmsKeyPropertiesResponse: The resource-specific properties for this resource.
system_data SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type str: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
tags Mapping[str, str]: Resource tags.

id String: Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
location String: The geo-location where the resource lives
name String: The name of the resource
properties Property Map: The resource-specific properties for this resource.
systemData Property Map: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
tags Map<String>: Resource tags.

Supporting Types

AwsKmsKeyPropertiesResponse

Arn string: Property arn
BypassPolicyLockoutSafetyCheck bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
Description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
EnableKeyRotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
Enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
KeyId string: Property keyId
KeyPolicy object: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
KeySpec string: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
KeyUsage string: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
MultiRegion bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
Origin string: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
PendingWindowInDays int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
RotationPeriodInDays int: Property rotationPeriodInDays
Tags List<Pulumi.AzureNative.AwsConnector.Inputs.TagResponse>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

Arn string: Property arn
BypassPolicyLockoutSafetyCheck bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
Description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
EnableKeyRotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
Enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
KeyId string: Property keyId
KeyPolicy interface{}: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
KeySpec string: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
KeyUsage string: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
MultiRegion bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
Origin string: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
PendingWindowInDays int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
RotationPeriodInDays int: Property rotationPeriodInDays
Tags []TagResponse: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn String: Property arn
bypassPolicyLockoutSafetyCheck Boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description String: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation Boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled Boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId String: Property keyId
keyPolicy Object: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec String: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage String: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion Boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin String: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays Integer: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays Integer: Property rotationPeriodInDays
tags List<TagResponse>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn string: Property arn
bypassPolicyLockoutSafetyCheck boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId string: Property keyId
keyPolicy any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec string: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage string: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin string: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays number: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays number: Property rotationPeriodInDays
tags TagResponse[]: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn str: Property arn
bypass_policy_lockout_safety_check bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description str: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enable_key_rotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
key_id str: Property keyId
key_policy Any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
key_spec str: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
key_usage str: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multi_region bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin str: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pending_window_in_days int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotation_period_in_days int: Property rotationPeriodInDays
tags Sequence[TagResponse]: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn String: Property arn
bypassPolicyLockoutSafetyCheck Boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description String: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation Boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled Boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId String: Property keyId
keyPolicy Any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec String: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage String: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion Boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin String: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays Number: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays Number: Property rotationPeriodInDays
tags List<Property Map>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

KmsKeyPropertiesResponse

ProvisioningState string: The status of the last operation.
Arn string: Amazon Resource Name (ARN)
AwsAccountId string: AWS Account ID
AwsProperties Pulumi.AzureNative.AwsConnector.Inputs.AwsKmsKeyPropertiesResponse: AWS Properties
AwsRegion string: AWS Region
AwsSourceSchema string: AWS Source Schema
AwsTags Dictionary<string, string>: AWS Tags
PublicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
PublicCloudResourceName string: Public Cloud Resource Name

ProvisioningState string: The status of the last operation.
Arn string: Amazon Resource Name (ARN)
AwsAccountId string: AWS Account ID
AwsProperties AwsKmsKeyPropertiesResponse: AWS Properties
AwsRegion string: AWS Region
AwsSourceSchema string: AWS Source Schema
AwsTags map[string]string: AWS Tags
PublicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
PublicCloudResourceName string: Public Cloud Resource Name

provisioningState String: The status of the last operation.
arn String: Amazon Resource Name (ARN)
awsAccountId String: AWS Account ID
awsProperties AwsKmsKeyPropertiesResponse: AWS Properties
awsRegion String: AWS Region
awsSourceSchema String: AWS Source Schema
awsTags Map<String,String>: AWS Tags
publicCloudConnectorsResourceId String: Public Cloud Connectors Resource ID
publicCloudResourceName String: Public Cloud Resource Name

provisioningState string: The status of the last operation.
arn string: Amazon Resource Name (ARN)
awsAccountId string: AWS Account ID
awsProperties AwsKmsKeyPropertiesResponse: AWS Properties
awsRegion string: AWS Region
awsSourceSchema string: AWS Source Schema
awsTags {[key: string]: string}: AWS Tags
publicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
publicCloudResourceName string: Public Cloud Resource Name

provisioning_state str: The status of the last operation.
arn str: Amazon Resource Name (ARN)
aws_account_id str: AWS Account ID
aws_properties AwsKmsKeyPropertiesResponse: AWS Properties
aws_region str: AWS Region
aws_source_schema str: AWS Source Schema
aws_tags Mapping[str, str]: AWS Tags
public_cloud_connectors_resource_id str: Public Cloud Connectors Resource ID
public_cloud_resource_name str: Public Cloud Resource Name

provisioningState String: The status of the last operation.
arn String: Amazon Resource Name (ARN)
awsAccountId String: AWS Account ID
awsProperties Property Map: AWS Properties
awsRegion String: AWS Region
awsSourceSchema String: AWS Source Schema
awsTags Map<String>: AWS Tags
publicCloudConnectorsResourceId String: Public Cloud Connectors Resource ID
publicCloudResourceName String: Public Cloud Resource Name

SystemDataResponse

CreatedAt string: The timestamp of resource creation (UTC).
CreatedBy string: The identity that created the resource.
CreatedByType string: The type of identity that created the resource.
LastModifiedAt string: The timestamp of resource last modification (UTC)
LastModifiedBy string: The identity that last modified the resource.
LastModifiedByType string: The type of identity that last modified the resource.

CreatedAt string: The timestamp of resource creation (UTC).
CreatedBy string: The identity that created the resource.
CreatedByType string: The type of identity that created the resource.
LastModifiedAt string: The timestamp of resource last modification (UTC)
LastModifiedBy string: The identity that last modified the resource.
LastModifiedByType string: The type of identity that last modified the resource.

createdAt String: The timestamp of resource creation (UTC).
createdBy String: The identity that created the resource.
createdByType String: The type of identity that created the resource.
lastModifiedAt String: The timestamp of resource last modification (UTC)
lastModifiedBy String: The identity that last modified the resource.
lastModifiedByType String: The type of identity that last modified the resource.

createdAt string: The timestamp of resource creation (UTC).
createdBy string: The identity that created the resource.
createdByType string: The type of identity that created the resource.
lastModifiedAt string: The timestamp of resource last modification (UTC)
lastModifiedBy string: The identity that last modified the resource.
lastModifiedByType string: The type of identity that last modified the resource.

created_at str: The timestamp of resource creation (UTC).
created_by str: The identity that created the resource.
created_by_type str: The type of identity that created the resource.
last_modified_at str: The timestamp of resource last modification (UTC)
last_modified_by str: The identity that last modified the resource.
last_modified_by_type str: The type of identity that last modified the resource.

createdAt String: The timestamp of resource creation (UTC).
createdBy String: The identity that created the resource.
createdByType String: The type of identity that created the resource.
lastModifiedAt String: The timestamp of resource last modification (UTC)
lastModifiedBy String: The identity that last modified the resource.
lastModifiedByType String: The type of identity that last modified the resource.

TagResponse

Key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

Key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key String: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value String: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key str: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value str: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key String: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value String: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

Package Details

Repository: Azure Native pulumi/pulumi-azure-native
License: Apache-2.0

This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.

Azure Native v2.73.0 published on Wednesday, Nov 20, 2024 by Pulumi

pulumi/pulumi-azure-native

azure-native.awsconnector.getKmsKey

On this page

On this page

Using getKmsKey

getKmsKey Result

Supporting Types

AwsKmsKeyPropertiesResponse

KmsKeyPropertiesResponse

SystemDataResponse

TagResponse

Package Details

On this page

On this page