class Key (construct)
Language | Type name |
---|---|
.NET | Amazon.CDK.AWS.KMS.Key |
Go | github.com/aws/aws-cdk-go/awscdk/v2/awskms#Key |
Java | software.amazon.awscdk.services.kms.Key |
Python | aws_cdk.aws_kms.Key |
TypeScript (source) | aws-cdk-lib » aws_kms » Key |
Implements
IConstruct
, IDependable
, IResource
, IKey
Defines a KMS key.
Example
import * as kms from 'aws-cdk-lib/aws-kms';
const myKmsKey = new kms.Key(this, 'myKMSKey');
const myBucket = new s3.Bucket(this, 'mySSEKMSEncryptedBucket', {
encryption: s3.BucketEncryption.KMS,
encryptionKey: myKmsKey,
objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically grants Distribution access to `myKmsKey`
},
});
Initializer
new Key(scope: Construct, id: string, props?: KeyProps)
Parameters
Construct Props
Name | Type | Description |
---|---|---|
admins? | IPrincipal [] | A list of principals to add as key administrators to the key policy. |
alias? | string | Initial alias to add to the key. |
description? | string | A description of the key. |
enable | boolean | Indicates whether AWS KMS rotates the key. |
enabled? | boolean | Indicates whether the key is available for use. |
key | Key | The cryptographic configuration of the key. The valid value depends on usage of the key. |
key | Key | The cryptographic operations for which the key can be used. |
multi | boolean | Creates a multi-Region primary key that you can replicate in other AWS Regions. |
pending | Duration | Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack. |
policy? | Policy | Custom policy document to attach to the KMS key. |
removal | Removal | Whether the encryption key should be retained when it is removed from the Stack. |
rotation | Duration | The period between each automatic rotation. |
admins?
Type:
IPrincipal
[]
(optional, default: [])
A list of principals to add as key administrators to the key policy.
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
These principals will be added to the default key policy (if none specified), or to the specified policy (if provided).
alias?
Type:
string
(optional, default: No alias is added for the key.)
Initial alias to add to the key.
More aliases can be added later by calling addAlias
.
description?
Type:
string
(optional, default: No description.)
A description of the key.
Use a description that helps your users decide whether the key is appropriate for a particular task.
enableKeyRotation?
Type:
boolean
(optional, default: false)
Indicates whether AWS KMS rotates the key.
enabled?
Type:
boolean
(optional, default: Key is enabled.)
Indicates whether the key is available for use.
keySpec?
Type:
Key
(optional, default: KeySpec.SYMMETRIC_DEFAULT)
The cryptographic configuration of the key. The valid value depends on usage of the key.
IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value.
keyUsage?
Type:
Key
(optional, default: KeyUsage.ENCRYPT_DECRYPT)
The cryptographic operations for which the key can be used.
IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value.
multiRegion?
Type:
boolean
(optional, default: false)
Creates a multi-Region primary key that you can replicate in other AWS Regions.
You can't change the multiRegion
value after the KMS key is created.
IMPORTANT: If you change the value of the multiRegion
property on an existing KMS key, the update request fails,
regardless of the value of the UpdateReplacePolicy attribute.
This prevents you from accidentally deleting a KMS key by changing an immutable property value.
See also: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
pendingWindow?
Type:
Duration
(optional, default: 30 days)
Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack.
When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK.
Enter a value between 7 and 30 days.
policy?
Type:
Policy
(optional, default: A policy document with permissions for the account root to
administer the key will be created.)
Custom policy document to attach to the KMS key.
NOTE - If the @aws-cdk/aws-kms:defaultKeyPolicies
feature flag is set (the default for new projects),
this policy will override the default key policy and become the only key policy for the key. If the
feature flag is not set, this policy will be appended to the default key policy.
removalPolicy?
Type:
Removal
(optional, default: RemovalPolicy.Retain)
Whether the encryption key should be retained when it is removed from the Stack.
This is useful when one wants to retain access to data that was encrypted with a key that is being retired.
rotationPeriod?
Type:
Duration
(optional, default: set by CFN to 365 days.)
The period between each automatic rotation.
Properties
Name | Type | Description |
---|---|---|
env | Resource | The environment this resource belongs to. |
key | string | The ARN of the key. |
key | string | The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab). |
node | Node | The tree node. |
stack | Stack | The stack in which this resource is defined. |
trust | boolean | Optional property to control trusting account identities. |
policy? | Policy | Optional policy document that represents the resource policy of this key. |
static DEFAULT_DUMMY_KEY_ID | string | The default key id of the dummy key. |
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
keyArn
Type:
string
The ARN of the key.
keyId
Type:
string
The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
node
Type:
Node
The tree node.
stack
Type:
Stack
The stack in which this resource is defined.
trustAccountIdentities
Type:
boolean
Optional property to control trusting account identities.
If specified, grants will default identity policies instead of to both resource and identity policies. This matches the default behavior when creating KMS keys via the API or console.
policy?
Type:
Policy
(optional)
Optional policy document that represents the resource policy of this key.
If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.
static DEFAULT_DUMMY_KEY_ID
Type:
string
The default key id of the dummy key.
This value is used as a dummy key id if the key was not found
by the Key.fromLookup()
method.
Methods
Name | Description |
---|---|
add | Defines a new alias for the key. |
add | Adds a statement to the KMS key resource policy. |
apply | Apply the given removal policy to this resource. |
grant(grantee, ...actions) | Grant the indicated permissions on this key to the given principal. |
grant | Grant admins permissions using this key to the given principal. |
grant | Grant decryption permissions using this key to the given principal. |
grant | Grant encryption permissions using this key to the given principal. |
grant | Grant encryption and decryption permissions using this key to the given principal. |
grant | Grant permissions to generating MACs to the given principal. |
grant | Grant sign permissions using this key to the given principal. |
grant | Grant sign and verify permissions using this key to the given principal. |
grant | Grant verify permissions using this key to the given principal. |
grant | Grant permissions to verifying MACs to the given principal. |
to | Returns a string representation of this construct. |
static from | Create a mutable IKey based on a low-level CfnKey . |
static from | Import an externally defined KMS Key using its ARN. |
static from | Import an existing Key by querying the AWS environment this stack is deployed to. |
static is | Checks if the key returned by the Key.fromLookup() method is a dummy key, i.e., a key that was not found. |
addAlias(aliasName)
public addAlias(aliasName: string): Alias
Parameters
- aliasName
string
Returns
Defines a new alias for the key.
addToResourcePolicy(statement, allowNoOp?)
public addToResourcePolicy(statement: PolicyStatement, allowNoOp?: boolean): AddToResourcePolicyResult
Parameters
- statement
Policy
— The policy statement to add.Statement - allowNoOp
boolean
— If this is set tofalse
and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
Returns
Adds a statement to the KMS key resource policy.
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
Removal
Policy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY
), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN
).
grant(grantee, ...actions)
public grant(grantee: IGrantable, ...actions: string[]): Grant
Parameters
- grantee
IGrantable
- actions
string
Returns
Grant the indicated permissions on this key to the given principal.
This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.
grantAdmin(grantee)
public grantAdmin(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant admins permissions using this key to the given principal.
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
grantDecrypt(grantee)
public grantDecrypt(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant decryption permissions using this key to the given principal.
grantEncrypt(grantee)
public grantEncrypt(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant encryption permissions using this key to the given principal.
grantEncryptDecrypt(grantee)
public grantEncryptDecrypt(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant encryption and decryption permissions using this key to the given principal.
grantGenerateMac(grantee)
public grantGenerateMac(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant permissions to generating MACs to the given principal.
grantSign(grantee)
public grantSign(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant sign permissions using this key to the given principal.
grantSignVerify(grantee)
public grantSignVerify(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant sign and verify permissions using this key to the given principal.
grantVerify(grantee)
public grantVerify(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant verify permissions using this key to the given principal.
grantVerifyMac(grantee)
public grantVerifyMac(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant permissions to verifying MACs to the given principal.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
static fromCfnKey(cfnKey)
public static fromCfnKey(cfnKey: CfnKey): IKey
Parameters
- cfnKey
Cfn
Key
Returns
Create a mutable IKey
based on a low-level CfnKey
.
This is most useful when combined with the cloudformation-include module.
This method is different than fromKeyArn()
because the IKey
returned from this method is mutable;
meaning, calling any mutating methods on it,
like IKey.addToResourcePolicy()
,
will actually be reflected in the resulting template,
as opposed to the object returned from fromKeyArn()
,
on which calling those methods would have no effect.
static fromKeyArn(scope, id, keyArn)
public static fromKeyArn(scope: Construct, id: string, keyArn: string): IKey
Parameters
- scope
Construct
— the construct that will "own" the imported key. - id
string
— the id of the imported key in the construct tree. - keyArn
string
— the ARN of an existing KMS key.
Returns
Import an externally defined KMS Key using its ARN.
static fromLookup(scope, id, options)
public static fromLookup(scope: Construct, id: string, options: KeyLookupOptions): IKey
Parameters
- scope
Construct
- id
string
- options
Key
Lookup Options
Returns
Import an existing Key by querying the AWS environment this stack is deployed to.
This function only needs to be used to use Keys not defined in your CDK
application. If you are looking to share a Key between stacks, you can
pass the Key
object between stacks and use it as normal. In addition,
it's not necessary to use this method if an interface accepts an IKey
.
In this case, Alias.fromAliasName()
can be used which returns an alias
that extends IKey
.
Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).
If you set returnDummyKeyOnMissing
to true
in options
and the key was not found,
this method will return a dummy key with a key id '1234abcd-12ab-34cd-56ef-1234567890ab'.
The value of the dummy key id can also be referenced using the Key.DEFAULT_DUMMY_KEY_ID
variable, and you can check if the key is a dummy key by using the Key.isLookupDummy()
method.
The Key information will be cached in cdk.context.json
and the same Key
will be used on future runs. To refresh the lookup, you will have to
evict the value from the cache using the cdk context
command. See
https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.
static isLookupDummy(key)
public static isLookupDummy(key: IKey): boolean
Parameters
- key
IKey
Returns
boolean
Checks if the key returned by the Key.fromLookup()
method is a dummy key, i.e., a key that was not found.
This method can only be used if the returnDummyKeyOnMissing
option
is set to true
in the options
for the Key.fromLookup()
method.