KMS Key

Key Management Service (KMS) Key

Resource Type

AWS.KMS.Key

Resource ID Format

For KMS Keys, the resource ID is the ARN.

arn:aws:kms:us-west-2:123456789012:key/1

Background

KMS is a service to create and manage encryption keys for across a wide range of AWS services and within your applications.

Fields

Field

Type

Description

KeyRotationEnabled

Bool

If key rotation is enabled for this KMS key

Policy

String

A JSON policy document indicating what has access to this key

Example

{
    "AccountId": "123456789012",
    "Arn": "arn:aws:kms:us-west-2:123456789012:key/1",
    "CloudHsmClusterId": null,
    "CustomKeyStoreId": null,
    "DeletionDate": null,
    "Description": "Default master key that protects my ACM private keys when no other key is defined",
    "Enabled": true,
    "EncryptionAlgorithms": null,
    "ExpirationModel": null,
    "Id": "1",
    "KeyManager": "AWS",
    "KeyRotationEnabled": null,
    "KeySpec": "SYMMETRIC_DEFAULT",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "MacAlgorithms": null,
    "MultiRegion": true,
    "MultiRegionConfiguration": {
	"MultiRegionKeyType": "PRIMARY",
	"PrimaryKey": {
		"Arn": "arn:aws:kms:us-west-2:123456789012:key/1",
		"Region": "us-west-2"
	},
	"ReplicaKeys": null
    },
    "Origin": "AWS_KMS",
    "PendingDeletionWindowInDays": null,
    "Policy": "{\n  \"Version\" : \"2012-10-17\",\n  \"Id\" : \"auto-acm-3\",\n  \"Statement\" : [ {\n    \"Sid\" : \"Allow creation of decryption grants\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"*\"\n    },\n    \"Action\" : \"kms:CreateGrant\",\n    \"Resource\" : \"*\",\n    \"Condition\" : {\n      \"StringEquals\" : {\n        \"kms:CallerAccount\" : \"123456789012\",\n        \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n      },\n      \"ForAllValues:StringEquals\" : {\n        \"kms:GrantOperations\" : \"Decrypt\"\n      },\n      \"Bool\" : {\n        \"kms:GrantIsForAWSResource\" : \"true\"\n      }\n    }\n  }, {\n    \"Sid\" : \"Allow creation of encryption grant\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"*\"\n    },\n    \"Action\" : \"kms:CreateGrant\",\n    \"Resource\" : \"*\",\n    \"Condition\" : {\n      \"StringEquals\" : {\n        \"kms:CallerAccount\" : \"123456789012\",\n        \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n      },\n      \"ForAllValues:StringEquals\" : {\n        \"kms:GrantOperations\" : [ \"Encrypt\", \"ReEncryptFrom\", \"ReEncryptTo\" ]\n      },\n      \"Bool\" : {\n        \"kms:GrantIsForAWSResource\" : \"true\"\n      }\n    }\n  }, {\n    \"Sid\" : \"Allowed operations for the key owner\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"*\"\n    },\n    \"Action\" : [ \"kms:DescribeKey\", \"kms:ListGrants\", \"kms:RevokeGrant\", \"kms:GetKeyPolicy\" ],\n    \"Resource\" : \"*\",\n    \"Condition\" : {\n      \"StringEquals\" : {\n        \"kms:CallerAccount\" : \"123456789012\"\n      }\n    }\n  }, {\n    \"Sid\" : \"Deny re-encryption to any other key\",\n    \"Effect\" : \"Deny\",\n    \"Principal\" : {\n      \"AWS\" : \"*\"\n    },\n    \"Action\" : \"kms:ReEncrypt*\",\n    \"Resource\" : \"*\",\n    \"Condition\" : {\n      \"Bool\" : {\n        \"kms:ReEncryptOnSameKey\" : \"false\"\n      }\n    }\n  } ]\n}",
    "Region": "us-west-2",
    "ResourceId": "arn:aws:kms:us-west-2:123456789012:key/1",
    "ResourceType": "AWS.KMS.Key",
    "SigningAlgorithms": null,
    "Tags": null,
    "TimeCreated": "2019-01-01T00:00:00.000Z",
    "ValidTo": null
}

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated