software.amazon.awscdk.services.kms.CfnKey Maven / Gradle / Ivy
package software.amazon.awscdk.services.kms;
/**
* A CloudFormation `AWS::KMS::Key`.
*
* The AWS::KMS::Key resource specifies a symmetric or asymmetric KMS key in AWS Key Management Service ( AWS KMS ).
*
* You can use the AWS::KMS::Key resource to specify a symmetric or asymmetric multi-Region primary key. To specify a replica key, use the AWS::KMS::ReplicaKey resource. For information about multi-Region keys, see Multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You cannot use the AWS::KMS::Key resource to specify a KMS key with imported key material or a KMS key in a custom key store .
*
*
*
* AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key . The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.
*
*
*
* You can use symmetric KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use symmetric KMS key to encrypt data stored in AWS services that are integrated with AWS KMS . For more information, see What is AWS Key Management Service ? in the AWS Key Management Service Developer Guide .
*
* You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric KeySpec value and a KeyUsage value.
*
*
*
* If you change the value of the KeyUsage , KeySpec , or MultiRegion property on an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified value.
*
* While scheduled for deletion, the existing KMS key becomes unusable. If you don't cancel the scheduled deletion of the existing KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* Regions
*
* AWS KMS CloudFormation resources are supported in all Regions in which AWS CloudFormation is supported. However, in the (ap-southeast-3), you cannot use a CloudFormation template to create or manage asymmetric KMS keys or multi-Region KMS keys (primary or replica).
*
* Example:
*
*
* CfnInclude cfnTemplate;
* CfnKey cfnKey = (CfnKey)cfnTemplate.getResource("Key");
* IKey key = Key.fromCfnKey(cfnKey);
*
*/
@javax.annotation.Generated(value = "jsii-pacmak/1.54.0 (build b1b977a)", date = "2022-03-01T02:28:59.872Z")
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
@software.amazon.jsii.Jsii(module = software.amazon.awscdk.services.kms.$Module.class, fqn = "@aws-cdk/aws-kms.CfnKey")
public class CfnKey extends software.amazon.awscdk.core.CfnResource implements software.amazon.awscdk.core.IInspectable {
protected CfnKey(final software.amazon.jsii.JsiiObjectRef objRef) {
super(objRef);
}
protected CfnKey(final software.amazon.jsii.JsiiObject.InitializationMode initializationMode) {
super(initializationMode);
}
static {
CFN_RESOURCE_TYPE_NAME = software.amazon.jsii.JsiiObject.jsiiStaticGet(software.amazon.awscdk.services.kms.CfnKey.class, "CFN_RESOURCE_TYPE_NAME", software.amazon.jsii.NativeType.forClass(java.lang.String.class));
}
/**
* Create a new `AWS::KMS::Key`.
*
* @param scope - scope in which this resource is defined. This parameter is required.
* @param id - scoped id of the resource. This parameter is required.
* @param props - resource properties. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public CfnKey(final @org.jetbrains.annotations.NotNull software.amazon.awscdk.core.Construct scope, final @org.jetbrains.annotations.NotNull java.lang.String id, final @org.jetbrains.annotations.NotNull software.amazon.awscdk.services.kms.CfnKeyProps props) {
super(software.amazon.jsii.JsiiObject.InitializationMode.JSII);
software.amazon.jsii.JsiiEngine.getInstance().createNewObject(this, new Object[] { java.util.Objects.requireNonNull(scope, "scope is required"), java.util.Objects.requireNonNull(id, "id is required"), java.util.Objects.requireNonNull(props, "props is required") });
}
/**
* Examines the CloudFormation resource and discloses attributes.
*
* @param inspector - tree inspector to collect and process attributes. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
@Override
public void inspect(final @org.jetbrains.annotations.NotNull software.amazon.awscdk.core.TreeInspector inspector) {
software.amazon.jsii.Kernel.call(this, "inspect", software.amazon.jsii.NativeType.VOID, new Object[] { java.util.Objects.requireNonNull(inspector, "inspector is required") });
}
/**
* @param props This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
@Override
protected @org.jetbrains.annotations.NotNull java.util.Map renderProperties(final @org.jetbrains.annotations.NotNull java.util.Map props) {
return java.util.Collections.unmodifiableMap(software.amazon.jsii.Kernel.call(this, "renderProperties", software.amazon.jsii.NativeType.mapOf(software.amazon.jsii.NativeType.forClass(java.lang.Object.class)), new Object[] { java.util.Objects.requireNonNull(props, "props is required") }));
}
/**
* The CloudFormation resource type name for this resource class.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public final static java.lang.String CFN_RESOURCE_TYPE_NAME;
/**
* The Amazon Resource Name (ARN) of the KMS key, such as `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` .
*
* For information about the key ARN of a KMS key, see Key ARN in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.NotNull java.lang.String getAttrArn() {
return software.amazon.jsii.Kernel.get(this, "attrArn", software.amazon.jsii.NativeType.forClass(java.lang.String.class));
}
/**
* The key ID of the KMS key, such as `1234abcd-12ab-34cd-56ef-1234567890ab` .
*
* For information about the key ID of a KMS key, see Key ID in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.NotNull java.lang.String getAttrKeyId() {
return software.amazon.jsii.Kernel.get(this, "attrKeyId", software.amazon.jsii.NativeType.forClass(java.lang.String.class));
}
/**
*/
@Override
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
protected @org.jetbrains.annotations.NotNull java.util.Map getCfnProperties() {
return java.util.Collections.unmodifiableMap(software.amazon.jsii.Kernel.get(this, "cfnProperties", software.amazon.jsii.NativeType.mapOf(software.amazon.jsii.NativeType.forClass(java.lang.Object.class))));
}
/**
* Assigns one or more tags to the replica key.
*
*
*
* Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for AWS KMS in the AWS Key Management Service Developer Guide .
*
*
*
* For information about tags in AWS KMS , see Tagging keys in the AWS Key Management Service Developer Guide . For information about tags in CloudFormation, see Tag .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.NotNull software.amazon.awscdk.core.TagManager getTags() {
return software.amazon.jsii.Kernel.get(this, "tags", software.amazon.jsii.NativeType.forClass(software.amazon.awscdk.core.TagManager.class));
}
/**
* The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.
*
*
* - The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the Default key policy section of the AWS Key Management Service Developer Guide .
* - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide .
* - The key policy size limit is 32 kilobytes (32768 bytes).
*
*
* If you are unsure of which policy to use, consider the default key policy . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see Default key policy in the AWS Key Management Service Developer Guide .
*
* Minimum : 1
*
* Maximum : 32768
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.NotNull java.lang.Object getKeyPolicy() {
return software.amazon.jsii.Kernel.get(this, "keyPolicy", software.amazon.jsii.NativeType.forClass(java.lang.Object.class));
}
/**
* The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.
*
*
* - The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the Default key policy section of the AWS Key Management Service Developer Guide .
* - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide .
* - The key policy size limit is 32 kilobytes (32768 bytes).
*
*
* If you are unsure of which policy to use, consider the default key policy . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see Default key policy in the AWS Key Management Service Developer Guide .
*
* Minimum : 1
*
* Maximum : 32768
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setKeyPolicy(final @org.jetbrains.annotations.NotNull java.lang.Object value) {
software.amazon.jsii.Kernel.set(this, "keyPolicy", java.util.Objects.requireNonNull(value, "keyPolicy is required"));
}
/**
* A description of the KMS key.
*
* Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.String getDescription() {
return software.amazon.jsii.Kernel.get(this, "description", software.amazon.jsii.NativeType.forClass(java.lang.String.class));
}
/**
* A description of the KMS key.
*
* Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setDescription(final @org.jetbrains.annotations.Nullable java.lang.String value) {
software.amazon.jsii.Kernel.set(this, "description", value);
}
/**
* Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.
*
* When Enabled is true , the key state of the KMS key is Enabled . When Enabled is false , the key state of the KMS key is Disabled . The default value is true .
*
* The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey , DisableKey , or ScheduleKeyDeletion operations.
*
* For information about the key states of a KMS key, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.Object getEnabled() {
return software.amazon.jsii.Kernel.get(this, "enabled", software.amazon.jsii.NativeType.forClass(java.lang.Object.class));
}
/**
* Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.
*
* When Enabled is true , the key state of the KMS key is Enabled . When Enabled is false , the key state of the KMS key is Disabled . The default value is true .
*
* The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey , DisableKey , or ScheduleKeyDeletion operations.
*
* For information about the key states of a KMS key, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setEnabled(final @org.jetbrains.annotations.Nullable java.lang.Boolean value) {
software.amazon.jsii.Kernel.set(this, "enabled", value);
}
/**
* Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.
*
* When Enabled is true , the key state of the KMS key is Enabled . When Enabled is false , the key state of the KMS key is Disabled . The default value is true .
*
* The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey , DisableKey , or ScheduleKeyDeletion operations.
*
* For information about the key states of a KMS key, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setEnabled(final @org.jetbrains.annotations.Nullable software.amazon.awscdk.core.IResolvable value) {
software.amazon.jsii.Kernel.set(this, "enabled", value);
}
/**
* Enables automatic rotation of the key material for the specified KMS key.
*
* By default, automatic key rotation is not enabled.
*
* AWS KMS does not support automatic key rotation on asymmetric KMS keys. For asymmetric KMS keys, omit the EnableKeyRotation property or set it to false .
*
* When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key 365 days after the enable (or reenable) date and every 365 days thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.Object getEnableKeyRotation() {
return software.amazon.jsii.Kernel.get(this, "enableKeyRotation", software.amazon.jsii.NativeType.forClass(java.lang.Object.class));
}
/**
* Enables automatic rotation of the key material for the specified KMS key.
*
* By default, automatic key rotation is not enabled.
*
* AWS KMS does not support automatic key rotation on asymmetric KMS keys. For asymmetric KMS keys, omit the EnableKeyRotation property or set it to false .
*
* When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key 365 days after the enable (or reenable) date and every 365 days thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setEnableKeyRotation(final @org.jetbrains.annotations.Nullable java.lang.Boolean value) {
software.amazon.jsii.Kernel.set(this, "enableKeyRotation", value);
}
/**
* Enables automatic rotation of the key material for the specified KMS key.
*
* By default, automatic key rotation is not enabled.
*
* AWS KMS does not support automatic key rotation on asymmetric KMS keys. For asymmetric KMS keys, omit the EnableKeyRotation property or set it to false .
*
* When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key 365 days after the enable (or reenable) date and every 365 days thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the AWS Key Management Service Developer Guide .
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setEnableKeyRotation(final @org.jetbrains.annotations.Nullable software.amazon.awscdk.core.IResolvable value) {
software.amazon.jsii.Kernel.set(this, "enableKeyRotation", value);
}
/**
* Specifies the type of KMS key to create.
*
* The default value, SYMMETRIC_DEFAULT , creates a KMS key with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your KMS key, see How to choose Your KMS key configuration in the AWS Key Management Service Developer Guide .
*
* The KeySpec property determines whether the KMS key contains a symmetric key or an asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the KMS key supports. You can't change the KeySpec after the KMS key is created. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide .
*
*
*
* If you change the KeySpec of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified KeySpec value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted. > AWS services that are integrated with AWS KMS use symmetric KMS keys to protect your data. These services do not support asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying Symmetric and Asymmetric KMS keys in the AWS Key Management Service Developer Guide .
*
*
*
* AWS KMS supports the following key specs for KMS keys:
*
*
* - Symmetric key (default)
* SYMMETRIC_DEFAULT (AES-256-GCM)- Asymmetric RSA key pairs
* RSA_2048RSA_3072RSA_4096- Asymmetric NIST-recommended elliptic curve key pairs
* ECC_NIST_P256 (secp256r1)ECC_NIST_P384 (secp384r1)ECC_NIST_P521 (secp521r1)- Other asymmetric elliptic curve key pairs
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.String getKeySpec() {
return software.amazon.jsii.Kernel.get(this, "keySpec", software.amazon.jsii.NativeType.forClass(java.lang.String.class));
}
/**
* Specifies the type of KMS key to create.
*
* The default value, SYMMETRIC_DEFAULT , creates a KMS key with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your KMS key, see How to choose Your KMS key configuration in the AWS Key Management Service Developer Guide .
*
* The KeySpec property determines whether the KMS key contains a symmetric key or an asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the KMS key supports. You can't change the KeySpec after the KMS key is created. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide .
*
*
*
* If you change the KeySpec of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified KeySpec value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted. > AWS services that are integrated with AWS KMS use symmetric KMS keys to protect your data. These services do not support asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying Symmetric and Asymmetric KMS keys in the AWS Key Management Service Developer Guide .
*
*
*
* AWS KMS supports the following key specs for KMS keys:
*
*
* - Symmetric key (default)
* SYMMETRIC_DEFAULT (AES-256-GCM)- Asymmetric RSA key pairs
* RSA_2048RSA_3072RSA_4096- Asymmetric NIST-recommended elliptic curve key pairs
* ECC_NIST_P256 (secp256r1)ECC_NIST_P384 (secp384r1)ECC_NIST_P521 (secp521r1)- Other asymmetric elliptic curve key pairs
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setKeySpec(final @org.jetbrains.annotations.Nullable java.lang.String value) {
software.amazon.jsii.Kernel.set(this, "keySpec", value);
}
/**
* Determines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT` . This property is required only for asymmetric KMS keys. You can't change the `KeyUsage` value after the KMS key is created.
*
*
*
* If you change the KeyUsage of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified KeyUsage value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* Select only one valid value.
*
*
* - For symmetric KMS keys, omit the property or specify
ENCRYPT_DECRYPT .
* - For asymmetric KMS keys with RSA key material, specify
ENCRYPT_DECRYPT or SIGN_VERIFY .
* - For asymmetric KMS keys with ECC key material, specify
SIGN_VERIFY .
*
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.String getKeyUsage() {
return software.amazon.jsii.Kernel.get(this, "keyUsage", software.amazon.jsii.NativeType.forClass(java.lang.String.class));
}
/**
* Determines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT` . This property is required only for asymmetric KMS keys. You can't change the `KeyUsage` value after the KMS key is created.
*
*
*
* If you change the KeyUsage of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified KeyUsage value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* Select only one valid value.
*
*
* - For symmetric KMS keys, omit the property or specify
ENCRYPT_DECRYPT .
* - For asymmetric KMS keys with RSA key material, specify
ENCRYPT_DECRYPT or SIGN_VERIFY .
* - For asymmetric KMS keys with ECC key material, specify
SIGN_VERIFY .
*
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setKeyUsage(final @org.jetbrains.annotations.Nullable java.lang.String value) {
software.amazon.jsii.Kernel.set(this, "keyUsage", value);
}
/**
* Creates a multi-Region primary key that you can replicate in other AWS Regions .
*
*
*
* If you change the MultiRegion property of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified Multi-Region value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* For a multi-Region key, set to this property to true . For a single-Region key, omit this property or set it to false . The default value is false .
*
* Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.
*
* To create a replica of this primary key in a different AWS Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.Object getMultiRegion() {
return software.amazon.jsii.Kernel.get(this, "multiRegion", software.amazon.jsii.NativeType.forClass(java.lang.Object.class));
}
/**
* Creates a multi-Region primary key that you can replicate in other AWS Regions .
*
*
*
* If you change the MultiRegion property of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified Multi-Region value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* For a multi-Region key, set to this property to true . For a single-Region key, omit this property or set it to false . The default value is false .
*
* Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.
*
* To create a replica of this primary key in a different AWS Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setMultiRegion(final @org.jetbrains.annotations.Nullable java.lang.Boolean value) {
software.amazon.jsii.Kernel.set(this, "multiRegion", value);
}
/**
* Creates a multi-Region primary key that you can replicate in other AWS Regions .
*
*
*
* If you change the MultiRegion property of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified Multi-Region value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* For a multi-Region key, set to this property to true . For a single-Region key, omit this property or set it to false . The default value is false .
*
* Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.
*
* To create a replica of this primary key in a different AWS Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setMultiRegion(final @org.jetbrains.annotations.Nullable software.amazon.awscdk.core.IResolvable value) {
software.amazon.jsii.Kernel.set(this, "multiRegion", value);
}
/**
* Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack.
*
* Enter a value between 7 and 30 days. The default value is 30 days.
*
* When you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.
*
* AWS KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see Deleting multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the CancelKeyDeletion operation.
*
* For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide . For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the AWS Key Management Service API Reference and Deleting KMS keys in the AWS Key Management Service Developer Guide .
*
* Minimum : 7
*
* Maximum : 30
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public @org.jetbrains.annotations.Nullable java.lang.Number getPendingWindowInDays() {
return software.amazon.jsii.Kernel.get(this, "pendingWindowInDays", software.amazon.jsii.NativeType.forClass(java.lang.Number.class));
}
/**
* Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack.
*
* Enter a value between 7 and 30 days. The default value is 30 days.
*
* When you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.
*
* AWS KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see Deleting multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the CancelKeyDeletion operation.
*
* For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide . For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the AWS Key Management Service API Reference and Deleting KMS keys in the AWS Key Management Service Developer Guide .
*
* Minimum : 7
*
* Maximum : 30
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public void setPendingWindowInDays(final @org.jetbrains.annotations.Nullable java.lang.Number value) {
software.amazon.jsii.Kernel.set(this, "pendingWindowInDays", value);
}
/**
* A fluent builder for {@link software.amazon.awscdk.services.kms.CfnKey}.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public static final class Builder implements software.amazon.jsii.Builder {
/**
* @return a new instance of {@link Builder}.
* @param scope - scope in which this resource is defined. This parameter is required.
* @param id - scoped id of the resource. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public static Builder create(final software.amazon.awscdk.core.Construct scope, final java.lang.String id) {
return new Builder(scope, id);
}
private final software.amazon.awscdk.core.Construct scope;
private final java.lang.String id;
private final software.amazon.awscdk.services.kms.CfnKeyProps.Builder props;
private Builder(final software.amazon.awscdk.core.Construct scope, final java.lang.String id) {
this.scope = scope;
this.id = id;
this.props = new software.amazon.awscdk.services.kms.CfnKeyProps.Builder();
}
/**
* The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.
*
*
* - The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the Default key policy section of the AWS Key Management Service Developer Guide .
* - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide .
* - The key policy size limit is 32 kilobytes (32768 bytes).
*
*
* If you are unsure of which policy to use, consider the default key policy . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see Default key policy in the AWS Key Management Service Developer Guide .
*
* Minimum : 1
*
* Maximum : 32768
*
* @return {@code this}
* @param keyPolicy The key policy that authorizes use of the KMS key. The key policy must conform to the following rules. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder keyPolicy(final java.lang.Object keyPolicy) {
this.props.keyPolicy(keyPolicy);
return this;
}
/**
* A description of the KMS key.
*
* Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
*
* @return {@code this}
* @param description A description of the KMS key. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder description(final java.lang.String description) {
this.props.description(description);
return this;
}
/**
* Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.
*
* When Enabled is true , the key state of the KMS key is Enabled . When Enabled is false , the key state of the KMS key is Disabled . The default value is true .
*
* The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey , DisableKey , or ScheduleKeyDeletion operations.
*
* For information about the key states of a KMS key, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide .
*
* @return {@code this}
* @param enabled Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder enabled(final java.lang.Boolean enabled) {
this.props.enabled(enabled);
return this;
}
/**
* Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.
*
* When Enabled is true , the key state of the KMS key is Enabled . When Enabled is false , the key state of the KMS key is Disabled . The default value is true .
*
* The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey , DisableKey , or ScheduleKeyDeletion operations.
*
* For information about the key states of a KMS key, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide .
*
* @return {@code this}
* @param enabled Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder enabled(final software.amazon.awscdk.core.IResolvable enabled) {
this.props.enabled(enabled);
return this;
}
/**
* Enables automatic rotation of the key material for the specified KMS key.
*
* By default, automatic key rotation is not enabled.
*
* AWS KMS does not support automatic key rotation on asymmetric KMS keys. For asymmetric KMS keys, omit the EnableKeyRotation property or set it to false .
*
* When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key 365 days after the enable (or reenable) date and every 365 days thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the AWS Key Management Service Developer Guide .
*
* @return {@code this}
* @param enableKeyRotation Enables automatic rotation of the key material for the specified KMS key. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder enableKeyRotation(final java.lang.Boolean enableKeyRotation) {
this.props.enableKeyRotation(enableKeyRotation);
return this;
}
/**
* Enables automatic rotation of the key material for the specified KMS key.
*
* By default, automatic key rotation is not enabled.
*
* AWS KMS does not support automatic key rotation on asymmetric KMS keys. For asymmetric KMS keys, omit the EnableKeyRotation property or set it to false .
*
* When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key 365 days after the enable (or reenable) date and every 365 days thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the AWS Key Management Service Developer Guide .
*
* @return {@code this}
* @param enableKeyRotation Enables automatic rotation of the key material for the specified KMS key. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder enableKeyRotation(final software.amazon.awscdk.core.IResolvable enableKeyRotation) {
this.props.enableKeyRotation(enableKeyRotation);
return this;
}
/**
* Specifies the type of KMS key to create.
*
* The default value, SYMMETRIC_DEFAULT , creates a KMS key with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your KMS key, see How to choose Your KMS key configuration in the AWS Key Management Service Developer Guide .
*
* The KeySpec property determines whether the KMS key contains a symmetric key or an asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the KMS key supports. You can't change the KeySpec after the KMS key is created. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide .
*
*
*
* If you change the KeySpec of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified KeySpec value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted. > AWS services that are integrated with AWS KMS use symmetric KMS keys to protect your data. These services do not support asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying Symmetric and Asymmetric KMS keys in the AWS Key Management Service Developer Guide .
*
*
*
* AWS KMS supports the following key specs for KMS keys:
*
*
* - Symmetric key (default)
* SYMMETRIC_DEFAULT (AES-256-GCM)- Asymmetric RSA key pairs
* RSA_2048RSA_3072RSA_4096- Asymmetric NIST-recommended elliptic curve key pairs
* ECC_NIST_P256 (secp256r1)ECC_NIST_P384 (secp384r1)ECC_NIST_P521 (secp521r1)- Other asymmetric elliptic curve key pairs
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
* @return {@code this}
* @param keySpec Specifies the type of KMS key to create. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder keySpec(final java.lang.String keySpec) {
this.props.keySpec(keySpec);
return this;
}
/**
* Determines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT` . This property is required only for asymmetric KMS keys. You can't change the `KeyUsage` value after the KMS key is created.
*
*
*
* If you change the KeyUsage of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified KeyUsage value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* Select only one valid value.
*
*
* - For symmetric KMS keys, omit the property or specify
ENCRYPT_DECRYPT .
* - For asymmetric KMS keys with RSA key material, specify
ENCRYPT_DECRYPT or SIGN_VERIFY .
* - For asymmetric KMS keys with ECC key material, specify
SIGN_VERIFY .
*
*
* @return {@code this}
* @param keyUsage Determines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT` . This property is required only for asymmetric KMS keys. You can't change the `KeyUsage` value after the KMS key is created. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder keyUsage(final java.lang.String keyUsage) {
this.props.keyUsage(keyUsage);
return this;
}
/**
* Creates a multi-Region primary key that you can replicate in other AWS Regions .
*
*
*
* If you change the MultiRegion property of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified Multi-Region value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* For a multi-Region key, set to this property to true . For a single-Region key, omit this property or set it to false . The default value is false .
*
* Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.
*
* To create a replica of this primary key in a different AWS Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
*
* @return {@code this}
* @param multiRegion Creates a multi-Region primary key that you can replicate in other AWS Regions . This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder multiRegion(final java.lang.Boolean multiRegion) {
this.props.multiRegion(multiRegion);
return this;
}
/**
* Creates a multi-Region primary key that you can replicate in other AWS Regions .
*
*
*
* If you change the MultiRegion property of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified Multi-Region value. While the scheduled deletion is pending, you can't use the existing KMS key. Unless you cancel the scheduled deletion of the KMS key outside of CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.
*
*
*
* For a multi-Region key, set to this property to true . For a single-Region key, omit this property or set it to false . The default value is false .
*
* Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.
*
* To create a replica of this primary key in a different AWS Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
*
* @return {@code this}
* @param multiRegion Creates a multi-Region primary key that you can replicate in other AWS Regions . This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder multiRegion(final software.amazon.awscdk.core.IResolvable multiRegion) {
this.props.multiRegion(multiRegion);
return this;
}
/**
* Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack.
*
* Enter a value between 7 and 30 days. The default value is 30 days.
*
* When you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.
*
* AWS KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see Deleting multi-Region keys in the AWS Key Management Service Developer Guide .
*
* You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the CancelKeyDeletion operation.
*
* For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide . For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the AWS Key Management Service API Reference and Deleting KMS keys in the AWS Key Management Service Developer Guide .
*
* Minimum : 7
*
* Maximum : 30
*
* @return {@code this}
* @param pendingWindowInDays Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder pendingWindowInDays(final java.lang.Number pendingWindowInDays) {
this.props.pendingWindowInDays(pendingWindowInDays);
return this;
}
/**
* Assigns one or more tags to the replica key.
*
*
*
* Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for AWS KMS in the AWS Key Management Service Developer Guide .
*
*
*
* For information about tags in AWS KMS , see Tagging keys in the AWS Key Management Service Developer Guide . For information about tags in CloudFormation, see Tag .
*
* @return {@code this}
* @param tags Assigns one or more tags to the replica key. This parameter is required.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
public Builder tags(final java.util.List tags) {
this.props.tags(tags);
return this;
}
/**
* @returns a newly built instance of {@link software.amazon.awscdk.services.kms.CfnKey}.
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
@Override
public software.amazon.awscdk.services.kms.CfnKey build() {
return new software.amazon.awscdk.services.kms.CfnKey(
this.scope,
this.id,
this.props.build()
);
}
}
}