Azure Native v2.90.0, Mar 27 25

This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.

Azure Native v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

pulumi/pulumi-azure-native

azure-native.awsconnector.KmsKey

Explore with Pulumi AI

This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.

Azure Native v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

pulumi/pulumi-azure-native

Example Usage

KmsKeys_CreateOrReplace

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var kmsKey = new AzureNative.AwsConnector.KmsKey("kmsKey", new()
    {
        Location = "qozbasr",
        Name = "Replace this value with a string matching RegExp ^(z=.{0,259}[^zs.]$)(z!.*[zzzzzzzz])",
        Properties = new AzureNative.AwsConnector.Inputs.KmsKeyPropertiesArgs
        {
            Arn = "qszqxzva",
            AwsAccountId = "rvkcvpmljvwdryvsugsuc",
            AwsProperties = new AzureNative.AwsConnector.Inputs.AwsKmsKeyPropertiesArgs
            {
                Arn = "qglsfyxssylnrh",
                BypassPolicyLockoutSafetyCheck = true,
                Description = "mjtmquqbhnvjw",
                EnableKeyRotation = true,
                Enabled = true,
                KeyId = "hgwon",
                KeyPolicy = null,
                KeySpec = AzureNative.AwsConnector.KeySpec.ECC_NIST_P256,
                KeyUsage = AzureNative.AwsConnector.KeyUsage.ENCRYPT_DECRYPT,
                MultiRegion = true,
                Origin = AzureNative.AwsConnector.Origin.AWS_KMS,
                PendingWindowInDays = 7,
                RotationPeriodInDays = 4,
                Tags = new[]
                {
                    new AzureNative.AwsConnector.Inputs.TagArgs
                    {
                        Key = "eprsfobey",
                        Value = "lcaeaqxughlzgzhbbi",
                    },
                },
            },
            AwsRegion = "hvyzzutginnqrhgkyyripyqhqkofm",
            AwsSourceSchema = "cvatoa",
            AwsTags = 
            {
                { "key8656", "ctsbcnfhcvojqkiouaoyaetkdt" },
            },
            PublicCloudConnectorsResourceId = "tsbeayhnreovxnkbtbrvnuielziq",
            PublicCloudResourceName = "edkcxntzxplnpl",
        },
        ResourceGroupName = "rgkmsKey",
        Tags = 
        {
            { "key3909", "dxto" },
        },
    });

});

package main

import (
	awsconnector "github.com/pulumi/pulumi-azure-native-sdk/awsconnector/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := awsconnector.NewKmsKey(ctx, "kmsKey", &awsconnector.KmsKeyArgs{
			Location: pulumi.String("qozbasr"),
			Name:     pulumi.String("Replace this value with a string matching RegExp ^(z=.{0,259}[^zs.]$)(z!.*[zzzzzzzz])"),
			Properties: &awsconnector.KmsKeyPropertiesArgs{
				Arn:          pulumi.String("qszqxzva"),
				AwsAccountId: pulumi.String("rvkcvpmljvwdryvsugsuc"),
				AwsProperties: &awsconnector.AwsKmsKeyPropertiesArgs{
					Arn:                            pulumi.String("qglsfyxssylnrh"),
					BypassPolicyLockoutSafetyCheck: pulumi.Bool(true),
					Description:                    pulumi.String("mjtmquqbhnvjw"),
					EnableKeyRotation:              pulumi.Bool(true),
					Enabled:                        pulumi.Bool(true),
					KeyId:                          pulumi.String("hgwon"),
					KeyPolicy:                      pulumi.Any(map[string]interface{}{}),
					KeySpec:                        pulumi.String(awsconnector.KeySpec_ECC_NIST_P256),
					KeyUsage:                       pulumi.String(awsconnector.KeyUsage_ENCRYPT_DECRYPT),
					MultiRegion:                    pulumi.Bool(true),
					Origin:                         pulumi.String(awsconnector.Origin_AWS_KMS),
					PendingWindowInDays:            pulumi.Int(7),
					RotationPeriodInDays:           pulumi.Int(4),
					Tags: awsconnector.TagArray{
						&awsconnector.TagArgs{
							Key:   pulumi.String("eprsfobey"),
							Value: pulumi.String("lcaeaqxughlzgzhbbi"),
						},
					},
				},
				AwsRegion:       pulumi.String("hvyzzutginnqrhgkyyripyqhqkofm"),
				AwsSourceSchema: pulumi.String("cvatoa"),
				AwsTags: pulumi.StringMap{
					"key8656": pulumi.String("ctsbcnfhcvojqkiouaoyaetkdt"),
				},
				PublicCloudConnectorsResourceId: pulumi.String("tsbeayhnreovxnkbtbrvnuielziq"),
				PublicCloudResourceName:         pulumi.String("edkcxntzxplnpl"),
			},
			ResourceGroupName: pulumi.String("rgkmsKey"),
			Tags: pulumi.StringMap{
				"key3909": pulumi.String("dxto"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.awsconnector.KmsKey;
import com.pulumi.azurenative.awsconnector.KmsKeyArgs;
import com.pulumi.azurenative.awsconnector.inputs.KmsKeyPropertiesArgs;
import com.pulumi.azurenative.awsconnector.inputs.AwsKmsKeyPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var kmsKey = new KmsKey("kmsKey", KmsKeyArgs.builder()
            .location("qozbasr")
            .name("Replace this value with a string matching RegExp ^(z=.{0,259}[^zs.]$)(z!.*[zzzzzzzz])")
            .properties(KmsKeyPropertiesArgs.builder()
                .arn("qszqxzva")
                .awsAccountId("rvkcvpmljvwdryvsugsuc")
                .awsProperties(AwsKmsKeyPropertiesArgs.builder()
                    .arn("qglsfyxssylnrh")
                    .bypassPolicyLockoutSafetyCheck(true)
                    .description("mjtmquqbhnvjw")
                    .enableKeyRotation(true)
                    .enabled(true)
                    .keyId("hgwon")
                    .keyPolicy()
                    .keySpec("ECC_NIST_P256")
                    .keyUsage("ENCRYPT_DECRYPT")
                    .multiRegion(true)
                    .origin("AWS_KMS")
                    .pendingWindowInDays(7)
                    .rotationPeriodInDays(4)
                    .tags(TagArgs.builder()
                        .key("eprsfobey")
                        .value("lcaeaqxughlzgzhbbi")
                        .build())
                    .build())
                .awsRegion("hvyzzutginnqrhgkyyripyqhqkofm")
                .awsSourceSchema("cvatoa")
                .awsTags(Map.of("key8656", "ctsbcnfhcvojqkiouaoyaetkdt"))
                .publicCloudConnectorsResourceId("tsbeayhnreovxnkbtbrvnuielziq")
                .publicCloudResourceName("edkcxntzxplnpl")
                .build())
            .resourceGroupName("rgkmsKey")
            .tags(Map.of("key3909", "dxto"))
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const kmsKey = new azure_native.awsconnector.KmsKey("kmsKey", {
    location: "qozbasr",
    name: "Replace this value with a string matching RegExp ^(z=.{0,259}[^zs.]$)(z!.*[zzzzzzzz])",
    properties: {
        arn: "qszqxzva",
        awsAccountId: "rvkcvpmljvwdryvsugsuc",
        awsProperties: {
            arn: "qglsfyxssylnrh",
            bypassPolicyLockoutSafetyCheck: true,
            description: "mjtmquqbhnvjw",
            enableKeyRotation: true,
            enabled: true,
            keyId: "hgwon",
            keyPolicy: {},
            keySpec: azure_native.awsconnector.KeySpec.ECC_NIST_P256,
            keyUsage: azure_native.awsconnector.KeyUsage.ENCRYPT_DECRYPT,
            multiRegion: true,
            origin: azure_native.awsconnector.Origin.AWS_KMS,
            pendingWindowInDays: 7,
            rotationPeriodInDays: 4,
            tags: [{
                key: "eprsfobey",
                value: "lcaeaqxughlzgzhbbi",
            }],
        },
        awsRegion: "hvyzzutginnqrhgkyyripyqhqkofm",
        awsSourceSchema: "cvatoa",
        awsTags: {
            key8656: "ctsbcnfhcvojqkiouaoyaetkdt",
        },
        publicCloudConnectorsResourceId: "tsbeayhnreovxnkbtbrvnuielziq",
        publicCloudResourceName: "edkcxntzxplnpl",
    },
    resourceGroupName: "rgkmsKey",
    tags: {
        key3909: "dxto",
    },
});

import pulumi
import pulumi_azure_native as azure_native

kms_key = azure_native.awsconnector.KmsKey("kmsKey",
    location="qozbasr",
    name="Replace this value with a string matching RegExp ^(z=.{0,259}[^zs.]$)(z!.*[zzzzzzzz])",
    properties={
        "arn": "qszqxzva",
        "aws_account_id": "rvkcvpmljvwdryvsugsuc",
        "aws_properties": {
            "arn": "qglsfyxssylnrh",
            "bypass_policy_lockout_safety_check": True,
            "description": "mjtmquqbhnvjw",
            "enable_key_rotation": True,
            "enabled": True,
            "key_id": "hgwon",
            "key_policy": {},
            "key_spec": azure_native.awsconnector.KeySpec.EC_C_NIS_T_P256,
            "key_usage": azure_native.awsconnector.KeyUsage.ENCRYP_T_DECRYPT,
            "multi_region": True,
            "origin": azure_native.awsconnector.Origin.AW_S_KMS,
            "pending_window_in_days": 7,
            "rotation_period_in_days": 4,
            "tags": [{
                "key": "eprsfobey",
                "value": "lcaeaqxughlzgzhbbi",
            }],
        },
        "aws_region": "hvyzzutginnqrhgkyyripyqhqkofm",
        "aws_source_schema": "cvatoa",
        "aws_tags": {
            "key8656": "ctsbcnfhcvojqkiouaoyaetkdt",
        },
        "public_cloud_connectors_resource_id": "tsbeayhnreovxnkbtbrvnuielziq",
        "public_cloud_resource_name": "edkcxntzxplnpl",
    },
    resource_group_name="rgkmsKey",
    tags={
        "key3909": "dxto",
    })

resources:
  kmsKey:
    type: azure-native:awsconnector:KmsKey
    properties:
      location: qozbasr
      name: Replace this value with a string matching RegExp ^(z=.{0,259}[^zs.]$)(z!.*[zzzzzzzz])
      properties:
        arn: qszqxzva
        awsAccountId: rvkcvpmljvwdryvsugsuc
        awsProperties:
          arn: qglsfyxssylnrh
          bypassPolicyLockoutSafetyCheck: true
          description: mjtmquqbhnvjw
          enableKeyRotation: true
          enabled: true
          keyId: hgwon
          keyPolicy: {}
          keySpec: ECC_NIST_P256
          keyUsage: ENCRYPT_DECRYPT
          multiRegion: true
          origin: AWS_KMS
          pendingWindowInDays: 7
          rotationPeriodInDays: 4
          tags:
            - key: eprsfobey
              value: lcaeaqxughlzgzhbbi
        awsRegion: hvyzzutginnqrhgkyyripyqhqkofm
        awsSourceSchema: cvatoa
        awsTags:
          key8656: ctsbcnfhcvojqkiouaoyaetkdt
        publicCloudConnectorsResourceId: tsbeayhnreovxnkbtbrvnuielziq
        publicCloudResourceName: edkcxntzxplnpl
      resourceGroupName: rgkmsKey
      tags:
        key3909: dxto

Create KmsKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new KmsKey(name: string, args: KmsKeyArgs, opts?: CustomResourceOptions);

@overload
def KmsKey(resource_name: str,
           args: KmsKeyArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def KmsKey(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           resource_group_name: Optional[str] = None,
           location: Optional[str] = None,
           name: Optional[str] = None,
           properties: Optional[KmsKeyPropertiesArgs] = None,
           tags: Optional[Mapping[str, str]] = None)

func NewKmsKey(ctx *Context, name string, args KmsKeyArgs, opts ...ResourceOption) (*KmsKey, error)

public KmsKey(string name, KmsKeyArgs args, CustomResourceOptions? opts = null)

public KmsKey(String name, KmsKeyArgs args)
public KmsKey(String name, KmsKeyArgs args, CustomResourceOptions options)

type: azure-native:awsconnector:KmsKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var kmsKeyResource = new AzureNative.AwsConnector.KmsKey("kmsKeyResource", new()
{
    ResourceGroupName = "string",
    Location = "string",
    Name = "string",
    Properties = new AzureNative.AwsConnector.Inputs.KmsKeyPropertiesArgs
    {
        Arn = "string",
        AwsAccountId = "string",
        AwsProperties = new AzureNative.AwsConnector.Inputs.AwsKmsKeyPropertiesArgs
        {
            Arn = "string",
            BypassPolicyLockoutSafetyCheck = false,
            Description = "string",
            EnableKeyRotation = false,
            Enabled = false,
            KeyId = "string",
            KeyPolicy = "any",
            KeySpec = "string",
            KeyUsage = "string",
            MultiRegion = false,
            Origin = "string",
            PendingWindowInDays = 0,
            RotationPeriodInDays = 0,
            Tags = new[]
            {
                new AzureNative.AwsConnector.Inputs.TagArgs
                {
                    Key = "string",
                    Value = "string",
                },
            },
        },
        AwsRegion = "string",
        AwsSourceSchema = "string",
        AwsTags = 
        {
            { "string", "string" },
        },
        PublicCloudConnectorsResourceId = "string",
        PublicCloudResourceName = "string",
    },
    Tags = 
    {
        { "string", "string" },
    },
});

example, err := awsconnector.NewKmsKey(ctx, "kmsKeyResource", &awsconnector.KmsKeyArgs{
	ResourceGroupName: pulumi.String("string"),
	Location:          pulumi.String("string"),
	Name:              pulumi.String("string"),
	Properties: &awsconnector.KmsKeyPropertiesArgs{
		Arn:          pulumi.String("string"),
		AwsAccountId: pulumi.String("string"),
		AwsProperties: &awsconnector.AwsKmsKeyPropertiesArgs{
			Arn:                            pulumi.String("string"),
			BypassPolicyLockoutSafetyCheck: pulumi.Bool(false),
			Description:                    pulumi.String("string"),
			EnableKeyRotation:              pulumi.Bool(false),
			Enabled:                        pulumi.Bool(false),
			KeyId:                          pulumi.String("string"),
			KeyPolicy:                      pulumi.Any("any"),
			KeySpec:                        pulumi.String("string"),
			KeyUsage:                       pulumi.String("string"),
			MultiRegion:                    pulumi.Bool(false),
			Origin:                         pulumi.String("string"),
			PendingWindowInDays:            pulumi.Int(0),
			RotationPeriodInDays:           pulumi.Int(0),
			Tags: awsconnector.TagArray{
				&awsconnector.TagArgs{
					Key:   pulumi.String("string"),
					Value: pulumi.String("string"),
				},
			},
		},
		AwsRegion:       pulumi.String("string"),
		AwsSourceSchema: pulumi.String("string"),
		AwsTags: pulumi.StringMap{
			"string": pulumi.String("string"),
		},
		PublicCloudConnectorsResourceId: pulumi.String("string"),
		PublicCloudResourceName:         pulumi.String("string"),
	},
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
})

var kmsKeyResource = new KmsKey("kmsKeyResource", KmsKeyArgs.builder()
    .resourceGroupName("string")
    .location("string")
    .name("string")
    .properties(KmsKeyPropertiesArgs.builder()
        .arn("string")
        .awsAccountId("string")
        .awsProperties(AwsKmsKeyPropertiesArgs.builder()
            .arn("string")
            .bypassPolicyLockoutSafetyCheck(false)
            .description("string")
            .enableKeyRotation(false)
            .enabled(false)
            .keyId("string")
            .keyPolicy("any")
            .keySpec("string")
            .keyUsage("string")
            .multiRegion(false)
            .origin("string")
            .pendingWindowInDays(0)
            .rotationPeriodInDays(0)
            .tags(TagArgs.builder()
                .key("string")
                .value("string")
                .build())
            .build())
        .awsRegion("string")
        .awsSourceSchema("string")
        .awsTags(Map.of("string", "string"))
        .publicCloudConnectorsResourceId("string")
        .publicCloudResourceName("string")
        .build())
    .tags(Map.of("string", "string"))
    .build());

kms_key_resource = azure_native.awsconnector.KmsKey("kmsKeyResource",
    resource_group_name="string",
    location="string",
    name="string",
    properties={
        "arn": "string",
        "aws_account_id": "string",
        "aws_properties": {
            "arn": "string",
            "bypass_policy_lockout_safety_check": False,
            "description": "string",
            "enable_key_rotation": False,
            "enabled": False,
            "key_id": "string",
            "key_policy": "any",
            "key_spec": "string",
            "key_usage": "string",
            "multi_region": False,
            "origin": "string",
            "pending_window_in_days": 0,
            "rotation_period_in_days": 0,
            "tags": [{
                "key": "string",
                "value": "string",
            }],
        },
        "aws_region": "string",
        "aws_source_schema": "string",
        "aws_tags": {
            "string": "string",
        },
        "public_cloud_connectors_resource_id": "string",
        "public_cloud_resource_name": "string",
    },
    tags={
        "string": "string",
    })

const kmsKeyResource = new azure_native.awsconnector.KmsKey("kmsKeyResource", {
    resourceGroupName: "string",
    location: "string",
    name: "string",
    properties: {
        arn: "string",
        awsAccountId: "string",
        awsProperties: {
            arn: "string",
            bypassPolicyLockoutSafetyCheck: false,
            description: "string",
            enableKeyRotation: false,
            enabled: false,
            keyId: "string",
            keyPolicy: "any",
            keySpec: "string",
            keyUsage: "string",
            multiRegion: false,
            origin: "string",
            pendingWindowInDays: 0,
            rotationPeriodInDays: 0,
            tags: [{
                key: "string",
                value: "string",
            }],
        },
        awsRegion: "string",
        awsSourceSchema: "string",
        awsTags: {
            string: "string",
        },
        publicCloudConnectorsResourceId: "string",
        publicCloudResourceName: "string",
    },
    tags: {
        string: "string",
    },
});

type: azure-native:awsconnector:KmsKey
properties:
    location: string
    name: string
    properties:
        arn: string
        awsAccountId: string
        awsProperties:
            arn: string
            bypassPolicyLockoutSafetyCheck: false
            description: string
            enableKeyRotation: false
            enabled: false
            keyId: string
            keyPolicy: any
            keySpec: string
            keyUsage: string
            multiRegion: false
            origin: string
            pendingWindowInDays: 0
            rotationPeriodInDays: 0
            tags:
                - key: string
                  value: string
        awsRegion: string
        awsSourceSchema: string
        awsTags:
            string: string
        publicCloudConnectorsResourceId: string
        publicCloudResourceName: string
    resourceGroupName: string
    tags:
        string: string

KmsKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The KmsKey resource accepts the following input properties:

ResourceGroupName string: The name of the resource group. The name is case insensitive.
Location string: The geo-location where the resource lives
Name string: Name of KmsKey
Properties Pulumi.AzureNative.AwsConnector.Inputs.KmsKeyProperties: The resource-specific properties for this resource.
Tags Dictionary<string, string>: Resource tags.

ResourceGroupName string: The name of the resource group. The name is case insensitive.
Location string: The geo-location where the resource lives
Name string: Name of KmsKey
Properties KmsKeyPropertiesArgs: The resource-specific properties for this resource.
Tags map[string]string: Resource tags.

resourceGroupName String: The name of the resource group. The name is case insensitive.
location String: The geo-location where the resource lives
name String: Name of KmsKey
properties KmsKeyProperties: The resource-specific properties for this resource.
tags Map<String,String>: Resource tags.

resourceGroupName string: The name of the resource group. The name is case insensitive.
location string: The geo-location where the resource lives
name string: Name of KmsKey
properties KmsKeyProperties: The resource-specific properties for this resource.
tags {[key: string]: string}: Resource tags.

resource_group_name str: The name of the resource group. The name is case insensitive.
location str: The geo-location where the resource lives
name str: Name of KmsKey
properties KmsKeyPropertiesArgs: The resource-specific properties for this resource.
tags Mapping[str, str]: Resource tags.

resourceGroupName String: The name of the resource group. The name is case insensitive.
location String: The geo-location where the resource lives
name String: Name of KmsKey
properties Property Map: The resource-specific properties for this resource.
tags Map<String>: Resource tags.

Outputs

All input properties are implicitly available as output properties. Additionally, the KmsKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
SystemData Pulumi.AzureNative.AwsConnector.Outputs.SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

Id string: The provider-assigned unique ID for this managed resource.
SystemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

id String: The provider-assigned unique ID for this managed resource.
systemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

id string: The provider-assigned unique ID for this managed resource.
systemData SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type string: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

id str: The provider-assigned unique ID for this managed resource.
system_data SystemDataResponse: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type str: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

id String: The provider-assigned unique ID for this managed resource.
systemData Property Map: Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

Supporting Types

AwsKmsKeyProperties, AwsKmsKeyPropertiesArgs

Arn string: Property arn
BypassPolicyLockoutSafetyCheck bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
Description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
EnableKeyRotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
Enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
KeyId string: Property keyId
KeyPolicy object: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
KeySpec string | Pulumi.AzureNative.AwsConnector.KeySpec: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
KeyUsage string | Pulumi.AzureNative.AwsConnector.KeyUsage: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
MultiRegion bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
Origin string | Pulumi.AzureNative.AwsConnector.Origin: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
PendingWindowInDays int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
RotationPeriodInDays int: Property rotationPeriodInDays
Tags List<Pulumi.AzureNative.AwsConnector.Inputs.Tag>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

Arn string: Property arn
BypassPolicyLockoutSafetyCheck bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
Description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
EnableKeyRotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
Enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
KeyId string: Property keyId
KeyPolicy interface{}: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
KeySpec string | KeySpec: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
KeyUsage string | KeyUsage: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
MultiRegion bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
Origin string | Origin: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
PendingWindowInDays int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
RotationPeriodInDays int: Property rotationPeriodInDays
Tags []Tag: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn String: Property arn
bypassPolicyLockoutSafetyCheck Boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description String: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation Boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled Boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId String: Property keyId
keyPolicy Object: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec String | KeySpec: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage String | KeyUsage: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion Boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin String | Origin: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays Integer: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays Integer: Property rotationPeriodInDays
tags List<Tag>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn string: Property arn
bypassPolicyLockoutSafetyCheck boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId string: Property keyId
keyPolicy any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec string | KeySpec: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage string | KeyUsage: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin string | Origin: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays number: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays number: Property rotationPeriodInDays
tags Tag[]: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn str: Property arn
bypass_policy_lockout_safety_check bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description str: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enable_key_rotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
key_id str: Property keyId
key_policy Any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
key_spec str | KeySpec: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
key_usage str | KeyUsage: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multi_region bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin str | Origin: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pending_window_in_days int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotation_period_in_days int: Property rotationPeriodInDays
tags Sequence[Tag]: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn String: Property arn
bypassPolicyLockoutSafetyCheck Boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description String: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation Boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled Boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId String: Property keyId
keyPolicy Any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec String | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "RSA_2048" | "RSA_3072" | "RSA_4096" | "SM2" | "SYMMETRIC_DEFAULT": Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage String | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "SIGN_VERIFY": Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion Boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin String | "AWS_KMS" | "EXTERNAL": The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays Number: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays Number: Property rotationPeriodInDays
tags List<Property Map>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

AwsKmsKeyPropertiesResponse, AwsKmsKeyPropertiesResponseArgs

Arn string: Property arn
BypassPolicyLockoutSafetyCheck bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
Description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
EnableKeyRotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
Enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
KeyId string: Property keyId
KeyPolicy object: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
KeySpec string: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
KeyUsage string: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
MultiRegion bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
Origin string: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
PendingWindowInDays int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
RotationPeriodInDays int: Property rotationPeriodInDays
Tags List<Pulumi.AzureNative.AwsConnector.Inputs.TagResponse>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

Arn string: Property arn
BypassPolicyLockoutSafetyCheck bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
Description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
EnableKeyRotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
Enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
KeyId string: Property keyId
KeyPolicy interface{}: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
KeySpec string: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
KeyUsage string: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
MultiRegion bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
Origin string: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
PendingWindowInDays int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
RotationPeriodInDays int: Property rotationPeriodInDays
Tags []TagResponse: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn String: Property arn
bypassPolicyLockoutSafetyCheck Boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description String: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation Boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled Boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId String: Property keyId
keyPolicy Object: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec String: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage String: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion Boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin String: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays Integer: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays Integer: Property rotationPeriodInDays
tags List<TagResponse>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn string: Property arn
bypassPolicyLockoutSafetyCheck boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description string: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId string: Property keyId
keyPolicy any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec string: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage string: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin string: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays number: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays number: Property rotationPeriodInDays
tags TagResponse[]: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn str: Property arn
bypass_policy_lockout_safety_check bool: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description str: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enable_key_rotation bool: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled bool: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
key_id str: Property keyId
key_policy Any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
key_spec str: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
key_usage str: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multi_region bool: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin str: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pending_window_in_days int: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotation_period_in_days int: Property rotationPeriodInDays
tags Sequence[TagResponse]: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

arn String: Property arn
bypassPolicyLockoutSafetyCheck Boolean: Skips ('bypasses') the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key.
description String: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
enableKeyRotation Boolean: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by using AWS::KMS::Key). KMS copies the rotation status to all replica keys. For details, see Rotating multi-Region keys in the Developer Guide. When you enable automatic rotation, KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see Rotating KMS keys in the Developer Guide.
enabled Boolean: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the key state of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the EnableKey, DisableKey, or ScheduleKeyDeletion operations. For information about the key states of a KMS key, see Key state: Effect on your KMS key in the Developer Guide.
keyId String: Property keyId
keyPolicy Any: The key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: + The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see Default key policy in the Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck to true.) + Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to KMS. For more information, see Changes that I make are not always immediately visible in the User Guide. If you do not provide a key policy, KMS attaches a default key policy to the KMS key. For more information, see Default key policy in the Developer Guide. A key policy document can include only the following characters: + Printable ASCII characters + Printable characters in the Basic Latin and Latin-1 Supplement character set + The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special characters Minimum: 1 Maximum: 32768
keySpec String: Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The KeySpec property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the KeySpec property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + SYMMETRIC_DEFAULT (AES-256-GCM) + HMAC keys (symmetric) + HMAC_224 + HMAC_256 + HMAC_384 + HMAC_512 + Asymmetric RSA key pairs + RSA_2048 + RSA_3072 + RSA_4096 + Asymmetric NIST-recommended elliptic curve key pairs + ECC_NIST_P256 (secp256r1) + ECC_NIST_P384 (secp384r1) + ECC_NIST_P521 (secp521r1) + Other asymmetric elliptic curve key pairs + ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + SM2
keyUsage String: Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify ENCRYPT_DECRYPT. + For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY. + For HMAC KMS keys, specify GENERATE_VERIFY_MAC.
multiRegion Boolean: Creates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see Multi-Region keys in in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to true. For a single-Region key, omit this property or set it to false. The default value is false. Multi-Region keys are an KMS feature that lets you create multiple interoperable KMS keys in different AWS-Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS-Region and decrypt it in a different AWS-Region without making a cross-Region call or exposing the plaintext data. For more information, see Multi-Region keys in the Developer Guide. You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS-Region , create an AWS::KMS::ReplicaKey resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.
origin String: The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore ENABLED when Origin is EXTERNAL. When a KMS key with Origin EXTERNAL is created, the key state is PENDING_IMPORT and ENABLED is false. After you import the key material, ENABLED updated to true. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an Origin parameter of the AWS_CLOUDHSM or EXTERNAL_KEY_STORE values.
pendingWindowInDays Number: Specifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica Deletion, which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, KMS permanently deletes the KMS key. KMS will not delete a multi-Region primary key that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to PendingReplicaDeletion so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to PendingDeletion and the waiting period specified by PendingWindowInDays begins. When this waiting period expires, KMS deletes the primary key. For details, see Deleting multi-Region keys in the Developer Guide. You cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the KMS console or the CancelKeyDeletion operation. For information about the Pending Deletion and Pending Replica Deletion key states, see Key state: Effect on your KMS key in the Developer Guide. For more information about deleting KMS keys, see the ScheduleKeyDeletion operation in the API Reference and Deleting KMS keys in the Developer Guide.
rotationPeriodInDays Number: Property rotationPeriodInDays
tags List<Property Map>: Assigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. For information about tags in KMS, see Tagging keys in the Developer Guide. For information about tags in CloudFormation, see Tag.

KeySpec, KeySpecArgs

ECC_NIST_P256: ECC_NIST_P256KeySpec enum ECC_NIST_P256
ECC_NIST_P384: ECC_NIST_P384KeySpec enum ECC_NIST_P384
ECC_NIST_P521: ECC_NIST_P521KeySpec enum ECC_NIST_P521
ECC_SECG_P256K1: ECC_SECG_P256K1KeySpec enum ECC_SECG_P256K1
HMAC_224: HMAC_224KeySpec enum HMAC_224
HMAC_256: HMAC_256KeySpec enum HMAC_256
HMAC_384: HMAC_384KeySpec enum HMAC_384
HMAC_512: HMAC_512KeySpec enum HMAC_512
RSA_2048: RSA_2048KeySpec enum RSA_2048
RSA_3072: RSA_3072KeySpec enum RSA_3072
RSA_4096: RSA_4096KeySpec enum RSA_4096
SM2: SM2KeySpec enum SM2
SYMMETRIC_DEFAULT: SYMMETRIC_DEFAULTKeySpec enum SYMMETRIC_DEFAULT

KeySpec_ECC_NIST_P256: ECC_NIST_P256KeySpec enum ECC_NIST_P256
KeySpec_ECC_NIST_P384: ECC_NIST_P384KeySpec enum ECC_NIST_P384
KeySpec_ECC_NIST_P521: ECC_NIST_P521KeySpec enum ECC_NIST_P521
KeySpec_ECC_SECG_P256K1: ECC_SECG_P256K1KeySpec enum ECC_SECG_P256K1
KeySpec_HMAC_224: HMAC_224KeySpec enum HMAC_224
KeySpec_HMAC_256: HMAC_256KeySpec enum HMAC_256
KeySpec_HMAC_384: HMAC_384KeySpec enum HMAC_384
KeySpec_HMAC_512: HMAC_512KeySpec enum HMAC_512
KeySpec_RSA_2048: RSA_2048KeySpec enum RSA_2048
KeySpec_RSA_3072: RSA_3072KeySpec enum RSA_3072
KeySpec_RSA_4096: RSA_4096KeySpec enum RSA_4096
KeySpecSM2: SM2KeySpec enum SM2
KeySpec_SYMMETRIC_DEFAULT: SYMMETRIC_DEFAULTKeySpec enum SYMMETRIC_DEFAULT

ECC_NIST_P256: ECC_NIST_P256KeySpec enum ECC_NIST_P256
ECC_NIST_P384: ECC_NIST_P384KeySpec enum ECC_NIST_P384
ECC_NIST_P521: ECC_NIST_P521KeySpec enum ECC_NIST_P521
ECC_SECG_P256K1: ECC_SECG_P256K1KeySpec enum ECC_SECG_P256K1
HMAC_224: HMAC_224KeySpec enum HMAC_224
HMAC_256: HMAC_256KeySpec enum HMAC_256
HMAC_384: HMAC_384KeySpec enum HMAC_384
HMAC_512: HMAC_512KeySpec enum HMAC_512
RSA_2048: RSA_2048KeySpec enum RSA_2048
RSA_3072: RSA_3072KeySpec enum RSA_3072
RSA_4096: RSA_4096KeySpec enum RSA_4096
SM2: SM2KeySpec enum SM2
SYMMETRIC_DEFAULT: SYMMETRIC_DEFAULTKeySpec enum SYMMETRIC_DEFAULT

ECC_NIST_P256: ECC_NIST_P256KeySpec enum ECC_NIST_P256
ECC_NIST_P384: ECC_NIST_P384KeySpec enum ECC_NIST_P384
ECC_NIST_P521: ECC_NIST_P521KeySpec enum ECC_NIST_P521
ECC_SECG_P256K1: ECC_SECG_P256K1KeySpec enum ECC_SECG_P256K1
HMAC_224: HMAC_224KeySpec enum HMAC_224
HMAC_256: HMAC_256KeySpec enum HMAC_256
HMAC_384: HMAC_384KeySpec enum HMAC_384
HMAC_512: HMAC_512KeySpec enum HMAC_512
RSA_2048: RSA_2048KeySpec enum RSA_2048
RSA_3072: RSA_3072KeySpec enum RSA_3072
RSA_4096: RSA_4096KeySpec enum RSA_4096
SM2: SM2KeySpec enum SM2
SYMMETRIC_DEFAULT: SYMMETRIC_DEFAULTKeySpec enum SYMMETRIC_DEFAULT

EC_C_NIS_T_P256: ECC_NIST_P256KeySpec enum ECC_NIST_P256
EC_C_NIS_T_P384: ECC_NIST_P384KeySpec enum ECC_NIST_P384
EC_C_NIS_T_P521: ECC_NIST_P521KeySpec enum ECC_NIST_P521
EC_C_SEC_G_P256_K1: ECC_SECG_P256K1KeySpec enum ECC_SECG_P256K1
HMA_C_224: HMAC_224KeySpec enum HMAC_224
HMA_C_256: HMAC_256KeySpec enum HMAC_256
HMA_C_384: HMAC_384KeySpec enum HMAC_384
HMA_C_512: HMAC_512KeySpec enum HMAC_512
RS_A_2048: RSA_2048KeySpec enum RSA_2048
RS_A_3072: RSA_3072KeySpec enum RSA_3072
RS_A_4096: RSA_4096KeySpec enum RSA_4096
SM2: SM2KeySpec enum SM2
SYMMETRI_C_DEFAULT: SYMMETRIC_DEFAULTKeySpec enum SYMMETRIC_DEFAULT

"ECC_NIST_P256": ECC_NIST_P256KeySpec enum ECC_NIST_P256
"ECC_NIST_P384": ECC_NIST_P384KeySpec enum ECC_NIST_P384
"ECC_NIST_P521": ECC_NIST_P521KeySpec enum ECC_NIST_P521
"ECC_SECG_P256K1": ECC_SECG_P256K1KeySpec enum ECC_SECG_P256K1
"HMAC_224": HMAC_224KeySpec enum HMAC_224
"HMAC_256": HMAC_256KeySpec enum HMAC_256
"HMAC_384": HMAC_384KeySpec enum HMAC_384
"HMAC_512": HMAC_512KeySpec enum HMAC_512
"RSA_2048": RSA_2048KeySpec enum RSA_2048
"RSA_3072": RSA_3072KeySpec enum RSA_3072
"RSA_4096": RSA_4096KeySpec enum RSA_4096
"SM2": SM2KeySpec enum SM2
"SYMMETRIC_DEFAULT": SYMMETRIC_DEFAULTKeySpec enum SYMMETRIC_DEFAULT

KeyUsage, KeyUsageArgs

ENCRYPT_DECRYPT: ENCRYPT_DECRYPTKeyUsage enum ENCRYPT_DECRYPT
GENERATE_VERIFY_MAC: GENERATE_VERIFY_MACKeyUsage enum GENERATE_VERIFY_MAC
SIGN_VERIFY: SIGN_VERIFYKeyUsage enum SIGN_VERIFY

KeyUsage_ENCRYPT_DECRYPT: ENCRYPT_DECRYPTKeyUsage enum ENCRYPT_DECRYPT
KeyUsage_GENERATE_VERIFY_MAC: GENERATE_VERIFY_MACKeyUsage enum GENERATE_VERIFY_MAC
KeyUsage_SIGN_VERIFY: SIGN_VERIFYKeyUsage enum SIGN_VERIFY

ENCRYPT_DECRYPT: ENCRYPT_DECRYPTKeyUsage enum ENCRYPT_DECRYPT
GENERATE_VERIFY_MAC: GENERATE_VERIFY_MACKeyUsage enum GENERATE_VERIFY_MAC
SIGN_VERIFY: SIGN_VERIFYKeyUsage enum SIGN_VERIFY

ENCRYPT_DECRYPT: ENCRYPT_DECRYPTKeyUsage enum ENCRYPT_DECRYPT
GENERATE_VERIFY_MAC: GENERATE_VERIFY_MACKeyUsage enum GENERATE_VERIFY_MAC
SIGN_VERIFY: SIGN_VERIFYKeyUsage enum SIGN_VERIFY

ENCRYP_T_DECRYPT: ENCRYPT_DECRYPTKeyUsage enum ENCRYPT_DECRYPT
GENERAT_E_VERIF_Y_MAC: GENERATE_VERIFY_MACKeyUsage enum GENERATE_VERIFY_MAC
SIG_N_VERIFY: SIGN_VERIFYKeyUsage enum SIGN_VERIFY

"ENCRYPT_DECRYPT": ENCRYPT_DECRYPTKeyUsage enum ENCRYPT_DECRYPT
"GENERATE_VERIFY_MAC": GENERATE_VERIFY_MACKeyUsage enum GENERATE_VERIFY_MAC
"SIGN_VERIFY": SIGN_VERIFYKeyUsage enum SIGN_VERIFY

KmsKeyProperties, KmsKeyPropertiesArgs

Arn string: Amazon Resource Name (ARN)
AwsAccountId string: AWS Account ID
AwsProperties Pulumi.AzureNative.AwsConnector.Inputs.AwsKmsKeyProperties: AWS Properties
AwsRegion string: AWS Region
AwsSourceSchema string: AWS Source Schema
AwsTags Dictionary<string, string>: AWS Tags
PublicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
PublicCloudResourceName string: Public Cloud Resource Name

Arn string: Amazon Resource Name (ARN)
AwsAccountId string: AWS Account ID
AwsProperties AwsKmsKeyProperties: AWS Properties
AwsRegion string: AWS Region
AwsSourceSchema string: AWS Source Schema
AwsTags map[string]string: AWS Tags
PublicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
PublicCloudResourceName string: Public Cloud Resource Name

arn String: Amazon Resource Name (ARN)
awsAccountId String: AWS Account ID
awsProperties AwsKmsKeyProperties: AWS Properties
awsRegion String: AWS Region
awsSourceSchema String: AWS Source Schema
awsTags Map<String,String>: AWS Tags
publicCloudConnectorsResourceId String: Public Cloud Connectors Resource ID
publicCloudResourceName String: Public Cloud Resource Name

arn string: Amazon Resource Name (ARN)
awsAccountId string: AWS Account ID
awsProperties AwsKmsKeyProperties: AWS Properties
awsRegion string: AWS Region
awsSourceSchema string: AWS Source Schema
awsTags {[key: string]: string}: AWS Tags
publicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
publicCloudResourceName string: Public Cloud Resource Name

arn str: Amazon Resource Name (ARN)
aws_account_id str: AWS Account ID
aws_properties AwsKmsKeyProperties: AWS Properties
aws_region str: AWS Region
aws_source_schema str: AWS Source Schema
aws_tags Mapping[str, str]: AWS Tags
public_cloud_connectors_resource_id str: Public Cloud Connectors Resource ID
public_cloud_resource_name str: Public Cloud Resource Name

arn String: Amazon Resource Name (ARN)
awsAccountId String: AWS Account ID
awsProperties Property Map: AWS Properties
awsRegion String: AWS Region
awsSourceSchema String: AWS Source Schema
awsTags Map<String>: AWS Tags
publicCloudConnectorsResourceId String: Public Cloud Connectors Resource ID
publicCloudResourceName String: Public Cloud Resource Name

KmsKeyPropertiesResponse, KmsKeyPropertiesResponseArgs

ProvisioningState string: The status of the last operation.
Arn string: Amazon Resource Name (ARN)
AwsAccountId string: AWS Account ID
AwsProperties Pulumi.AzureNative.AwsConnector.Inputs.AwsKmsKeyPropertiesResponse: AWS Properties
AwsRegion string: AWS Region
AwsSourceSchema string: AWS Source Schema
AwsTags Dictionary<string, string>: AWS Tags
PublicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
PublicCloudResourceName string: Public Cloud Resource Name

ProvisioningState string: The status of the last operation.
Arn string: Amazon Resource Name (ARN)
AwsAccountId string: AWS Account ID
AwsProperties AwsKmsKeyPropertiesResponse: AWS Properties
AwsRegion string: AWS Region
AwsSourceSchema string: AWS Source Schema
AwsTags map[string]string: AWS Tags
PublicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
PublicCloudResourceName string: Public Cloud Resource Name

provisioningState String: The status of the last operation.
arn String: Amazon Resource Name (ARN)
awsAccountId String: AWS Account ID
awsProperties AwsKmsKeyPropertiesResponse: AWS Properties
awsRegion String: AWS Region
awsSourceSchema String: AWS Source Schema
awsTags Map<String,String>: AWS Tags
publicCloudConnectorsResourceId String: Public Cloud Connectors Resource ID
publicCloudResourceName String: Public Cloud Resource Name

provisioningState string: The status of the last operation.
arn string: Amazon Resource Name (ARN)
awsAccountId string: AWS Account ID
awsProperties AwsKmsKeyPropertiesResponse: AWS Properties
awsRegion string: AWS Region
awsSourceSchema string: AWS Source Schema
awsTags {[key: string]: string}: AWS Tags
publicCloudConnectorsResourceId string: Public Cloud Connectors Resource ID
publicCloudResourceName string: Public Cloud Resource Name

provisioning_state str: The status of the last operation.
arn str: Amazon Resource Name (ARN)
aws_account_id str: AWS Account ID
aws_properties AwsKmsKeyPropertiesResponse: AWS Properties
aws_region str: AWS Region
aws_source_schema str: AWS Source Schema
aws_tags Mapping[str, str]: AWS Tags
public_cloud_connectors_resource_id str: Public Cloud Connectors Resource ID
public_cloud_resource_name str: Public Cloud Resource Name

provisioningState String: The status of the last operation.
arn String: Amazon Resource Name (ARN)
awsAccountId String: AWS Account ID
awsProperties Property Map: AWS Properties
awsRegion String: AWS Region
awsSourceSchema String: AWS Source Schema
awsTags Map<String>: AWS Tags
publicCloudConnectorsResourceId String: Public Cloud Connectors Resource ID
publicCloudResourceName String: Public Cloud Resource Name

Origin, OriginArgs

AWS_KMS: AWS_KMSOrigin enum AWS_KMS
EXTERNAL: EXTERNALOrigin enum EXTERNAL

Origin_AWS_KMS: AWS_KMSOrigin enum AWS_KMS
OriginEXTERNAL: EXTERNALOrigin enum EXTERNAL

AWS_KMS: AWS_KMSOrigin enum AWS_KMS
EXTERNAL: EXTERNALOrigin enum EXTERNAL

AWS_KMS: AWS_KMSOrigin enum AWS_KMS
EXTERNAL: EXTERNALOrigin enum EXTERNAL

AW_S_KMS: AWS_KMSOrigin enum AWS_KMS
EXTERNAL: EXTERNALOrigin enum EXTERNAL

"AWS_KMS": AWS_KMSOrigin enum AWS_KMS
"EXTERNAL": EXTERNALOrigin enum EXTERNAL

SystemDataResponse, SystemDataResponseArgs

CreatedAt string: The timestamp of resource creation (UTC).
CreatedBy string: The identity that created the resource.
CreatedByType string: The type of identity that created the resource.
LastModifiedAt string: The timestamp of resource last modification (UTC)
LastModifiedBy string: The identity that last modified the resource.
LastModifiedByType string: The type of identity that last modified the resource.

CreatedAt string: The timestamp of resource creation (UTC).
CreatedBy string: The identity that created the resource.
CreatedByType string: The type of identity that created the resource.
LastModifiedAt string: The timestamp of resource last modification (UTC)
LastModifiedBy string: The identity that last modified the resource.
LastModifiedByType string: The type of identity that last modified the resource.

createdAt String: The timestamp of resource creation (UTC).
createdBy String: The identity that created the resource.
createdByType String: The type of identity that created the resource.
lastModifiedAt String: The timestamp of resource last modification (UTC)
lastModifiedBy String: The identity that last modified the resource.
lastModifiedByType String: The type of identity that last modified the resource.

createdAt string: The timestamp of resource creation (UTC).
createdBy string: The identity that created the resource.
createdByType string: The type of identity that created the resource.
lastModifiedAt string: The timestamp of resource last modification (UTC)
lastModifiedBy string: The identity that last modified the resource.
lastModifiedByType string: The type of identity that last modified the resource.

created_at str: The timestamp of resource creation (UTC).
created_by str: The identity that created the resource.
created_by_type str: The type of identity that created the resource.
last_modified_at str: The timestamp of resource last modification (UTC)
last_modified_by str: The identity that last modified the resource.
last_modified_by_type str: The type of identity that last modified the resource.

createdAt String: The timestamp of resource creation (UTC).
createdBy String: The identity that created the resource.
createdByType String: The type of identity that created the resource.
lastModifiedAt String: The timestamp of resource last modification (UTC)
lastModifiedBy String: The identity that last modified the resource.
lastModifiedByType String: The type of identity that last modified the resource.

Tag, TagArgs

Key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

Key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key String: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value String: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key str: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value str: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key String: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value String: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

TagResponse, TagResponseArgs

Key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

Key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key String: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value String: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key string: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value string: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key str: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value str: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

key String: The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
value String: The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:awsconnector:KmsKey dfo /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AwsConnector/kmsKeys/{name}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Native pulumi/pulumi-azure-native
License: Apache-2.0

This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.

Azure Native v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi

pulumi/pulumi-azure-native

azure-native.awsconnector.KmsKey

On this page

On this page

Example Usage

KmsKeys_CreateOrReplace

Create KmsKey Resource

Constructor syntax

Parameters

Constructor example

KmsKey Resource Properties

Inputs

Outputs

Supporting Types

AwsKmsKeyProperties, AwsKmsKeyPropertiesArgs

AwsKmsKeyPropertiesResponse, AwsKmsKeyPropertiesResponseArgs

KeySpec, KeySpecArgs

KeyUsage, KeyUsageArgs

KmsKeyProperties, KmsKeyPropertiesArgs

KmsKeyPropertiesResponse, KmsKeyPropertiesResponseArgs

Origin, OriginArgs

SystemDataResponse, SystemDataResponseArgs

Tag, TagArgs

TagResponse, TagResponseArgs

Import

Package Details

On this page

On this page