1. Packages
  2. AWS Classic
  3. API Docs
  4. kms
  5. Key

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.23.0 published on Thursday, Feb 22, 2024 by Pulumi

aws.kms.Key

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.23.0 published on Thursday, Feb 22, 2024 by Pulumi

    Manages a single-Region or multi-Region primary KMS key.

    NOTE on KMS Key Policy: KMS Key Policy can be configured in either the standalone resource aws.kms.KeyPolicy or with the parameter policy in this resource. Configuring with both will cause inconsistencies and may overwrite configuration.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var key = new Aws.Kms.Key("key", new()
        {
            DeletionWindowInDays = 10,
            Description = "KMS key 1",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := kms.NewKey(ctx, "key", &kms.KeyArgs{
    			DeletionWindowInDays: pulumi.Int(10),
    			Description:          pulumi.String("KMS key 1"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var key = new Key("key", KeyArgs.builder()        
                .deletionWindowInDays(10)
                .description("KMS key 1")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    key = aws.kms.Key("key",
        deletion_window_in_days=10,
        description="KMS key 1")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const key = new aws.kms.Key("key", {
        deletionWindowInDays: 10,
        description: "KMS key 1",
    });
    
    resources:
      key:
        type: aws:kms:Key
        properties:
          deletionWindowInDays: 10
          description: KMS key 1
    

    Create Key Resource

    new Key(name: string, args?: KeyArgs, opts?: CustomResourceOptions);
    @overload
    def Key(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            bypass_policy_lockout_safety_check: Optional[bool] = None,
            custom_key_store_id: Optional[str] = None,
            customer_master_key_spec: Optional[str] = None,
            deletion_window_in_days: Optional[int] = None,
            description: Optional[str] = None,
            enable_key_rotation: Optional[bool] = None,
            is_enabled: Optional[bool] = None,
            key_usage: Optional[str] = None,
            multi_region: Optional[bool] = None,
            policy: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            xks_key_id: Optional[str] = None)
    @overload
    def Key(resource_name: str,
            args: Optional[KeyArgs] = None,
            opts: Optional[ResourceOptions] = None)
    func NewKey(ctx *Context, name string, args *KeyArgs, opts ...ResourceOption) (*Key, error)
    public Key(string name, KeyArgs? args = null, CustomResourceOptions? opts = null)
    public Key(String name, KeyArgs args)
    public Key(String name, KeyArgs args, CustomResourceOptions options)
    
    type: aws:kms:Key
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Key Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Key resource accepts the following input properties:

    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    Tags Dictionary<string, string>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    Tags map[string]string
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Integer
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags Map<String,String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypassPolicyLockoutSafetyCheck boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description string
    The description of the key as viewed in AWS console.
    enableKeyRotation boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled boolean
    Specifies whether the key is enabled. Defaults to true.
    keyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags {[key: string]: string}
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypass_policy_lockout_safety_check bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    custom_key_store_id str
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customer_master_key_spec str
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletion_window_in_days int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description str
    The description of the key as viewed in AWS console.
    enable_key_rotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    is_enabled bool
    Specifies whether the key is enabled. Defaults to true.
    key_usage str
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multi_region bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy str

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags Mapping[str, str]
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xks_key_id str
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags Map<String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Key resource produces the following output properties:

    Arn string
    The Amazon Resource Name (ARN) of the key.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyId string
    The globally unique identifier for the key.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Arn string
    The Amazon Resource Name (ARN) of the key.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyId string
    The globally unique identifier for the key.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    The Amazon Resource Name (ARN) of the key.
    id String
    The provider-assigned unique ID for this managed resource.
    keyId String
    The globally unique identifier for the key.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn string
    The Amazon Resource Name (ARN) of the key.
    id string
    The provider-assigned unique ID for this managed resource.
    keyId string
    The globally unique identifier for the key.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn str
    The Amazon Resource Name (ARN) of the key.
    id str
    The provider-assigned unique ID for this managed resource.
    key_id str
    The globally unique identifier for the key.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    The Amazon Resource Name (ARN) of the key.
    id String
    The provider-assigned unique ID for this managed resource.
    keyId String
    The globally unique identifier for the key.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Look up Existing Key Resource

    Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeyState, opts?: CustomResourceOptions): Key
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            bypass_policy_lockout_safety_check: Optional[bool] = None,
            custom_key_store_id: Optional[str] = None,
            customer_master_key_spec: Optional[str] = None,
            deletion_window_in_days: Optional[int] = None,
            description: Optional[str] = None,
            enable_key_rotation: Optional[bool] = None,
            is_enabled: Optional[bool] = None,
            key_id: Optional[str] = None,
            key_usage: Optional[str] = None,
            multi_region: Optional[bool] = None,
            policy: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            xks_key_id: Optional[str] = None) -> Key
    func GetKey(ctx *Context, name string, id IDInput, state *KeyState, opts ...ResourceOption) (*Key, error)
    public static Key Get(string name, Input<string> id, KeyState? state, CustomResourceOptions? opts = null)
    public static Key get(String name, Output<String> id, KeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The Amazon Resource Name (ARN) of the key.
    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyId string
    The globally unique identifier for the key.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    Tags Dictionary<string, string>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    Arn string
    The Amazon Resource Name (ARN) of the key.
    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyId string
    The globally unique identifier for the key.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    Tags map[string]string
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn String
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Integer
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyId String
    The globally unique identifier for the key.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags Map<String,String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn string
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description string
    The description of the key as viewed in AWS console.
    enableKeyRotation boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled boolean
    Specifies whether the key is enabled. Defaults to true.
    keyId string
    The globally unique identifier for the key.
    keyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags {[key: string]: string}
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    xksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn str
    The Amazon Resource Name (ARN) of the key.
    bypass_policy_lockout_safety_check bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    custom_key_store_id str
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customer_master_key_spec str
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletion_window_in_days int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description str
    The description of the key as viewed in AWS console.
    enable_key_rotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    is_enabled bool
    Specifies whether the key is enabled. Defaults to true.
    key_id str
    The globally unique identifier for the key.
    key_usage str
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multi_region bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy str

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags Mapping[str, str]
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    xks_key_id str
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn String
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyId String
    The globally unique identifier for the key.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    tags Map<String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.

    Import

    Using pulumi import, import KMS Keys using the id. For example:

     $ pulumi import aws:kms/key:Key a 1234abcd-12ab-34cd-56ef-1234567890ab
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.23.0 published on Thursday, Feb 22, 2024 by Pulumi