kms/aws.sdk.kotlin.services.kms.model/CreateKeyRequest/keyUsage

keyUsage

val keyUsage: KeyUsageType?

Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This parameter is optional when you are creating a symmetric encryption KMS key; otherwise, it is required. You can't change the KeyUsage value after the KMS key is created. Each KMS key can have only one key usage. This follows key usage best practices according to NIST SP 800-57 Recommendations for Key Management, section 5.2, Key usage.

Select only one valid value.

  • For symmetric encryption KMS keys, omit the parameter or specify ENCRYPT_DECRYPT.

  • For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.

  • For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For asymmetric KMS keys with NIST-standard elliptic curve key pairs, specify SIGN_VERIFY or KEY_AGREEMENT.

  • For asymmetric KMS keys with ECC_SECG_P256K1 key pairs, specify SIGN_VERIFY.

  • For asymmetric KMS keys with ML-DSA key pairs, specify SIGN_VERIFY.

  • For asymmetric KMS keys with SM2 key pairs (China Regions only), specify ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT.

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated by dokka