Package software.amazon.awscdk.services.kms

Class CfnKey

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.kms.CfnKey
All Implemented Interfaces:
IInspectable, ITaggable, IKeyRef, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.116.0 (build 0eddcff)", date="2025-10-24T13:34:41.008Z") @Stability(Stable) public class CfnKey extends CfnResource implements IInspectable, IKeyRef, ITaggable
The AWS::KMS::Key resource specifies an KMS key in AWS Key Management Service . You can use this resource to create symmetric encryption KMS keys, asymmetric KMS keys for encryption or signing, and symmetric HMAC KMS keys. You can use AWS::KMS::Key to create multi-Region primary keys of all supported types. To replicate a multi-Region key, use the AWS::KMS::ReplicaKey resource.

If you change the value of the KeySpec , KeyUsage , Origin , or MultiRegion properties of an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute . This prevents you from accidentally deleting a KMS key by changing any of its immutable property values. > AWS KMS replaced the term customer master key (CMK) with AWS KMS key and KMS key . The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.

You can use symmetric encryption KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use a symmetric encryption KMS key to encrypt data stored in AWS services that are integrated with AWS KMS . For more information, see Symmetric encryption KMS keys in the AWS Key Management Service Developer Guide .

You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric KeySpec value and a KeyUsage value. For details, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide .

You can use HMAC KMS keys (which are also symmetric keys) to generate and verify hash-based message authentication codes. To create an HMAC key, you must specify an HMAC KeySpec value and a KeyUsage value of GENERATE_VERIFY_MAC . For details, see HMAC keys in AWS KMS in the AWS Key Management Service Developer Guide .

You can also create symmetric encryption, asymmetric, and HMAC multi-Region primary keys. To create a multi-Region primary key, set the MultiRegion property to true . For information about multi-Region keys, see Multi-Region keys in AWS KMS in the AWS Key Management Service Developer Guide .

You cannot use the AWS::KMS::Key resource to specify a KMS key with imported key material or a KMS key in a custom key store .

Regions

AWS KMS CloudFormation resources are available in all Regions in which AWS KMS and AWS CloudFormation are supported. You can use the AWS::KMS::Key resource to create and manage all KMS key types that are supported in a Region.

Example: 

 import software.amazon.awscdk.services.kms.*;
 Key kmsKey = new Key(this, "myKMSKey");
 Bucket myBucket = Bucket.Builder.create(this, "mySSEKMSEncryptedBucket")
         .encryption(BucketEncryption.KMS)
         .encryptionKey(kmsKey)
         .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED)
         .build();
 Distribution.Builder.create(this, "myDist")
         .defaultBehavior(BehaviorOptions.builder()
                 .origin(S3BucketOrigin.withOriginAccessControl(myBucket))
                 .build())
         .build();
 // Add the following to scope down the key policy
 Map<String, Object> scopedDownKeyPolicy = Map.of(
         "Version", "2012-10-17",
         "Statement", List.of(Map.of(
                 "Effect", "Allow",
                 "Principal", Map.of(
                         "AWS", "arn:aws:iam::111122223333:root"),
                 "Action", "kms:*",
                 "Resource", "*"), Map.of(
                 "Effect", "Allow",
                 "Principal", Map.of(
                         "Service", "cloudfront.amazonaws.com"),
                 "Action", List.of("kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*"),
                 "Resource", "*",
                 "Condition", Map.of(
                         "StringEquals", Map.of(
                                 "AWS:SourceArn", "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>")))));
 CfnKey cfnKey = ((CfnKey)kmsKey.getNode().getDefaultChild());
 cfnKey.getKeyPolicy() = scopedDownKeyPolicy;

See Also:

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnKey

      protected CfnKey(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnKey

      protected CfnKey(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnKey

      @Stability(Stable) public CfnKey(@NotNull software.constructs.Construct scope, @NotNull String id, @Nullable CfnKeyProps props)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties.

    • CfnKey

      @Stability(Stable) public CfnKey(@NotNull software.constructs.Construct scope, @NotNull String id)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.

  • Method Details

    • fromKeyArn

      @Stability(Stable) @NotNull public static IKeyRef fromKeyArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String arn)
      Creates a new IKeyRef from an ARN.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      arn - This parameter is required.

    • fromKeyId

      @Stability(Stable) @NotNull public static IKeyRef fromKeyId(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String keyId)
      Creates a new IKeyRef from a keyId.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      keyId - This parameter is required.

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      The Amazon Resource Name (ARN) of the KMS key, such as arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab .

      For information about the key ARN of a KMS key, see Key ARN in the AWS Key Management Service Developer Guide .

    • getAttrKeyId

      @Stability(Stable) @NotNull public String getAttrKeyId()
      The key ID of the KMS key, such as 1234abcd-12ab-34cd-56ef-1234567890ab .

      For information about the key ID of a KMS key, see Key ID in the AWS Key Management Service Developer Guide .

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getKeyRef

      @Stability(Stable) @NotNull public KeyReference getKeyRef()
      A reference to a Key resource.
      Specified by:
      getKeyRef in interface IKeyRef

    • getTags

      @Stability(Stable) @NotNull public TagManager getTags()
      Tag Manager which manages the tags for this resource.
      Specified by:
      getTags in interface ITaggable

    • getBypassPolicyLockoutSafetyCheck

      @Stability(Stable) @Nullable public Object getBypassPolicyLockoutSafetyCheck()
      Skips ("bypasses") the key policy lockout safety check.

      The default value is false.

      Returns union: either Boolean or IResolvable

    • setBypassPolicyLockoutSafetyCheck

      @Stability(Stable) public void setBypassPolicyLockoutSafetyCheck(@Nullable Boolean value)
      Skips ("bypasses") the key policy lockout safety check.

      The default value is false.

    • setBypassPolicyLockoutSafetyCheck

      @Stability(Stable) public void setBypassPolicyLockoutSafetyCheck(@Nullable IResolvable value)
      Skips ("bypasses") the key policy lockout safety check.

      The default value is false.

    • getDescription

      @Stability(Stable) @Nullable public String getDescription()
      A description of the KMS key.

    • setDescription

      @Stability(Stable) public void setDescription(@Nullable String value)
      A description of the KMS key.

    • getEnabled

      @Stability(Stable) @Nullable public Object getEnabled()
      Specifies whether the KMS key is enabled.

      Disabled KMS keys cannot be used in cryptographic operations.

      Returns union: either Boolean or IResolvable

    • setEnabled

      @Stability(Stable) public void setEnabled(@Nullable Boolean value)
      Specifies whether the KMS key is enabled.

      Disabled KMS keys cannot be used in cryptographic operations.

    • setEnabled

      @Stability(Stable) public void setEnabled(@Nullable IResolvable value)
      Specifies whether the KMS key is enabled.

      Disabled KMS keys cannot be used in cryptographic operations.

    • getEnableKeyRotation

      @Stability(Stable) @Nullable public Object getEnableKeyRotation()
      Enables automatic rotation of the key material for the specified KMS key.

      Returns union: either Boolean or IResolvable

    • setEnableKeyRotation

      @Stability(Stable) public void setEnableKeyRotation(@Nullable Boolean value)
      Enables automatic rotation of the key material for the specified KMS key.

    • setEnableKeyRotation

      @Stability(Stable) public void setEnableKeyRotation(@Nullable IResolvable value)
      Enables automatic rotation of the key material for the specified KMS key.

    • getKeyPolicy

      @Stability(Stable) @Nullable public Object getKeyPolicy()
      The key policy to attach to the KMS key.

    • setKeyPolicy

      @Stability(Stable) public void setKeyPolicy(@Nullable Object value)
      The key policy to attach to the KMS key.

    • getKeySpec

      @Stability(Stable) @Nullable public String getKeySpec()
      Specifies the type of KMS key to create.

    • setKeySpec

      @Stability(Stable) public void setKeySpec(@Nullable String value)
      Specifies the type of KMS key to create.

    • getKeyUsage

      @Stability(Stable) @Nullable public String getKeyUsage()
      Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT . This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created.

    • setKeyUsage

      @Stability(Stable) public void setKeyUsage(@Nullable String value)
      Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT . This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created.

    • getMultiRegion

      @Stability(Stable) @Nullable public Object getMultiRegion()
      Creates a multi-Region primary key that you can replicate in other AWS Regions .

      Returns union: either Boolean or IResolvable

    • setMultiRegion

      @Stability(Stable) public void setMultiRegion(@Nullable Boolean value)
      Creates a multi-Region primary key that you can replicate in other AWS Regions .

    • setMultiRegion

      @Stability(Stable) public void setMultiRegion(@Nullable IResolvable value)
      Creates a multi-Region primary key that you can replicate in other AWS Regions .

    • getOrigin

      @Stability(Stable) @Nullable public String getOrigin()
      The source of the key material for the KMS key.

    • setOrigin

      @Stability(Stable) public void setOrigin(@Nullable String value)
      The source of the key material for the KMS key.

    • getPendingWindowInDays

      @Stability(Stable) @Nullable public Number getPendingWindowInDays()
      Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack.

    • setPendingWindowInDays

      @Stability(Stable) public void setPendingWindowInDays(@Nullable Number value)
      Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack.

    • getRotationPeriodInDays

      @Stability(Stable) @Nullable public Number getRotationPeriodInDays()
      Specifies a custom period of time between each rotation date.

    • setRotationPeriodInDays

      @Stability(Stable) public void setRotationPeriodInDays(@Nullable Number value)
      Specifies a custom period of time between each rotation date.

    • getTagsRaw

      @Stability(Stable) @Nullable public List<CfnTag> getTagsRaw()
      Assigns one or more tags to the replica key.

    • setTagsRaw

      @Stability(Stable) public void setTagsRaw(@Nullable List<CfnTag> value)
      Assigns one or more tags to the replica key.