KMS Key
Key Management Service (KMS) Key
Resource Type
AWS.KMS.Key
Resource ID Format
For KMS Keys, the resource ID is the ARN.
arn:aws:kms:us-west-2:123456789012:key/1
Background
KMS is a service to create and manage encryption keys for across a wide range of AWS services and within your applications.
Fields
Field
Type
Description
KeyRotationEnabled
Bool
If key rotation is enabled for this KMS key
Policy
String
A JSON policy document indicating what has access to this key
Example
{
"AccountId": "123456789012",
"Arn": "arn:aws:kms:us-west-2:123456789012:key/1",
"CloudHsmClusterId": null,
"CustomKeyStoreId": null,
"DeletionDate": null,
"Description": "Default master key that protects my ACM private keys when no other key is defined",
"Enabled": true,
"EncryptionAlgorithms": null,
"ExpirationModel": null,
"Id": "1",
"KeyManager": "AWS",
"KeyRotationEnabled": null,
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"MacAlgorithms": null,
"MultiRegion": true,
"MultiRegionConfiguration": {
"MultiRegionKeyType": "PRIMARY",
"PrimaryKey": {
"Arn": "arn:aws:kms:us-west-2:123456789012:key/1",
"Region": "us-west-2"
},
"ReplicaKeys": null
},
"Origin": "AWS_KMS",
"PendingDeletionWindowInDays": null,
"Policy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"auto-acm-3\",\n \"Statement\" : [ {\n \"Sid\" : \"Allow creation of decryption grants\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:CreateGrant\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n },\n \"ForAllValues:StringEquals\" : {\n \"kms:GrantOperations\" : \"Decrypt\"\n },\n \"Bool\" : {\n \"kms:GrantIsForAWSResource\" : \"true\"\n }\n }\n }, {\n \"Sid\" : \"Allow creation of encryption grant\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:CreateGrant\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n },\n \"ForAllValues:StringEquals\" : {\n \"kms:GrantOperations\" : [ \"Encrypt\", \"ReEncryptFrom\", \"ReEncryptTo\" ]\n },\n \"Bool\" : {\n \"kms:GrantIsForAWSResource\" : \"true\"\n }\n }\n }, {\n \"Sid\" : \"Allowed operations for the key owner\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : [ \"kms:DescribeKey\", \"kms:ListGrants\", \"kms:RevokeGrant\", \"kms:GetKeyPolicy\" ],\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\"\n }\n }\n }, {\n \"Sid\" : \"Deny re-encryption to any other key\",\n \"Effect\" : \"Deny\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:ReEncrypt*\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"Bool\" : {\n \"kms:ReEncryptOnSameKey\" : \"false\"\n }\n }\n } ]\n}",
"Region": "us-west-2",
"ResourceId": "arn:aws:kms:us-west-2:123456789012:key/1",
"ResourceType": "AWS.KMS.Key",
"SigningAlgorithms": null,
"Tags": null,
"TimeCreated": "2019-01-01T00:00:00.000Z",
"ValidTo": null
}
Last updated