Package software.amazon.awscdk.services.kms

AWS Key Management Service Construct Library

See: Description

Interface Summary

Interface	Description
AliasAttributes	(experimental) Properties of a reference to an existing KMS Alias.
AliasProps	(experimental) Construction properties for a KMS Key Alias object.
CfnAliasProps	Properties for defining a `AWS::KMS::Alias`.
CfnKeyProps	Properties for defining a `AWS::KMS::Key`.
IAlias	(experimental) A KMS Key alias.
IAlias.Jsii$Default	Internal default implementation for IAlias.
IKey	(experimental) A KMS Key, either managed by this CDK app, or imported.
IKey.Jsii$Default	Internal default implementation for IKey.
KeyProps	(experimental) Construction properties for a KMS Key object.

Class Summary

Class	Description
Alias	(experimental) Defines a display name for a customer master key (CMK) in AWS Key Management Service (AWS KMS).
Alias.Builder	(experimental) A fluent builder for Alias.
AliasAttributes.Builder	A builder for AliasAttributes
AliasAttributes.Jsii$Proxy	An implementation for AliasAttributes
AliasProps.Builder	A builder for AliasProps
AliasProps.Jsii$Proxy	An implementation for AliasProps
CfnAlias	A CloudFormation `AWS::KMS::Alias`.
CfnAlias.Builder	A fluent builder for CfnAlias.
CfnAliasProps.Builder	A builder for CfnAliasProps
CfnAliasProps.Jsii$Proxy	An implementation for CfnAliasProps
CfnKey	A CloudFormation `AWS::KMS::Key`.
CfnKey.Builder	A fluent builder for CfnKey.
CfnKeyProps.Builder	A builder for CfnKeyProps
CfnKeyProps.Jsii$Proxy	An implementation for CfnKeyProps
IAlias.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IKey.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
Key	(experimental) Defines a KMS key.
Key.Builder	(experimental) A fluent builder for Key.
KeyProps.Builder	A builder for KeyProps
KeyProps.Jsii$Proxy	An implementation for KeyProps
ViaServicePrincipal	(experimental) A principal to allow access to a key if it's being used through another AWS service.

Enum Summary

Enum	Description
KeySpec	(experimental) The key spec, represents the cryptographic configuration of keys.
KeyUsage	(experimental) The key usage, represents the cryptographic operations of keys.

Package software.amazon.awscdk.services.kms Description

AWS Key Management Service Construct Library

---

Define a KMS key:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_kms;
 
 
 new Key(this, "MyKey", new KeyProps()
         .enableKeyRotation(true));
 

Define a KMS key with waiting period:

Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object key = Key.Builder.create(this, "MyKey")
         .pendingWindow(10)
         .build();
 

Add a couple of aliases:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object key = new Key(this, "MyKey");
 key.addAlias("alias/foo");
 key.addAlias("alias/bar");
 

Define a key with specific key spec and key usage:

Valid keySpec values depends on keyUsage value.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object key = Key.Builder.create(this, "MyKey")
         .keySpec(kms.KeySpec.getECC_SECG_P256K1())// Default to SYMMETRIC_DEFAULT
         .keyUsage(kms.KeyUsage.getSIGN_VERIFY())
         .build();
 

Sharing keys between stacks

To use a KMS key in a different stack in the same CDK application, pass the construct to the other stack:

sharing key between stacks

Importing existing keys

To use a KMS key that is not defined in this CDK app, but is created through other means, use Key.fromKeyArn(parent, name, ref):

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object myKeyImported = kms.Key.fromKeyArn(this, "MyImportedKey", "arn:aws:...");
 
 // you can do stuff with this imported key.
 myKeyImported.addAlias("alias/foo");
 

Note that a call to .addToPolicy(statement) on myKeyImported will not have an affect on the key's policy because it is not owned by your stack. The call will be a no-op.

If a Key has an associated Alias, the Alias can be imported by name and used in place of the Key as a reference. A common scenario for this is in referencing AWS managed keys.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object myKeyAlias = kms.Alias.fromAliasName(this, "myKey", "alias/aws/s3");
 Object trail = Trail.Builder.create(this, "myCloudTrail")
         .sendToCloudWatchLogs(true)
         .kmsKey(myKeyAlias)
         .build();
 

Note that calls to addToResourcePolicy and grant* methods on myKeyAlias will be no-ops, and addAlias and aliasTargetKey will fail, as the imported alias does not have a reference to the underlying KMS Key.

Key Policies

Controlling access and usage of KMS Keys requires the use of key policies (resource-based policies attached to the key); this is in contrast to most other AWS resources where access can be entirely controlled with IAM policies, and optionally complemented with resource policies. For more in-depth understanding of KMS key access and policies, see

• https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html
• https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

KMS keys can be created to trust IAM policies. This is the default behavior for both the KMS APIs and in the console. This behavior is enabled by the '@aws-cdk/aws-kms:defaultKeyPolicies' feature flag, which is set for all new projects; for existing projects, this same behavior can be enabled by passing the trustAccountIdentities property as true when creating the key:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Key.Builder.create(stack, "MyKey").trustAccountIdentities(true).build();
 

With either the @aws-cdk/aws-kms:defaultKeyPolicies feature flag set, or the trustAccountIdentities prop set, the Key will be given the following default key policy:

 {
   "Effect": "Allow",
   "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
   "Action": "kms:*",
   "Resource": "*"
 }
 

This policy grants full access to the key to the root account user. This enables the root account user -- via IAM policies -- to grant access to other IAM principals. With the above default policy, future permissions can be added to either the key policy or IAM principal policy.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object key = new Key(stack, "MyKey");
 User user = new User(stack, "MyUser");
 key.grantEncrypt(user);
 

Adopting the default KMS key policy (and so trusting account identities) solves many issues around cyclic dependencies between stacks. Without this default key policy, future permissions must be added to both the key policy and IAM principal policy, which can cause cyclic dependencies if the permissions cross stack boundaries. (For example, an encrypted bucket in one stack, and Lambda function that accesses it in another.)

Appending to or replacing the default key policy

The default key policy can be amended or replaced entirely, depending on your use case and requirements. A common addition to the key policy would be to add other key admins that are allowed to administer the key (e.g., change permissions, revoke, delete). Additional key admins can be specified at key creation or after via the grantAdmin method.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 IRole myTrustedAdminRole = iam.Role.fromRoleArn(stack, "TrustedRole", "arn:aws:iam:....");
 Object key = Key.Builder.create(stack, "MyKey")
         .admins(asList(myTrustedAdminRole))
         .build();
 
 Object secondKey = new Key(stack, "MyKey2");
 secondKey.grantAdmin(myTrustedAdminRole);
 

Alternatively, a custom key policy can be specified, which will replace the default key policy.

Note: In applications without the '@aws-cdk/aws-kms:defaultKeyPolicies' feature flag set and with trustedAccountIdentities set to false (the default), specifying a policy at key creation appends the provided policy to the default key policy, rather than replacing the default policy.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 IRole myTrustedAdminRole = iam.Role.fromRoleArn(stack, "TrustedRole", "arn:aws:iam:....");
 // Creates a limited admin policy and assigns to the account root.
 PolicyDocument myCustomPolicy = new PolicyDocument(new PolicyDocumentProps()
         .statements(asList(new PolicyStatement(new PolicyStatementProps()
                 .actions(asList("kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*"))
                 .principals(asList(new AccountRootPrincipal()))
                 .resources(asList("*"))))));
 Object key = Key.Builder.create(stack, "MyKey")
         .policy(myCustomPolicy)
         .build();
 

Warning: Replacing the default key policy with one that only grants access to a specific user or role runs the risk of the key becoming unmanageable if that user or role is deleted. It is highly recommended that the key policy grants access to the account root, rather than specific principals. See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html for more information.