Kms
Functions
The `AWS::KMS::Alias` resource specifies a display name for a KMS key. You can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey. Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide. Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS-Regions. For more information, see Using aliases in the Developer Guide. When specifying an alias, observe the following rules.
The `AWS::KMS::Key` resource specifies an KMS key in KMSlong. You can use this resource to create symmetric encryption KMS keys, asymmetric KMS keys for encryption or signing, and symmetric HMAC KMS keys. You can use `AWS::KMS::Key` to create multi-Region primary keys of all supported types. To replicate a multi-Region key, use the `AWS::KMS::ReplicaKey` resource. If you change the value of the `KeySpec`, `KeyUsage`, `Origin`, or `MultiRegion` properties of an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing any of its immutable property values. KMS replaced the term customer master key (CMK) with ** and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term. You can use symmetric encryption KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use a symmetric encryption KMS key to encrypt data stored in AWS services that are integrated with. For more information, see Symmetric encryption KMS keys in the Developer Guide. You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric `KeySpec` value and a `KeyUsage` value. For details, see Asymmetric keys in in the Developer Guide. You can use HMAC KMS keys (which are also symmetric keys) to generate and verify hash-based message authentication codes. To create an HMAC key, you must specify an HMAC `KeySpec` value and a `KeyUsage` value of `GENERATE_VERIFY_MAC`. For details, see HMAC keys in in the Developer Guide. You can also create symmetric encryption, asymmetric, and HMAC multi-Region primary keys. To create a multi-Region primary key, set the `MultiRegion` property to `true`. For information about multi-Region keys, see Multi-Region keys in in the Developer Guide. You cannot use the `AWS::KMS::Key` resource to specify a KMS key with imported key material or a KMS key in a custom key store. Regions KMS CloudFormation resources are available in all Regions in which KMS and CFN are supported. You can use the `AWS::KMS::Key` resource to create and manage all KMS key types that are supported in a Region.
The AWS::KMS::ReplicaKey resource specifies a multi-region replica AWS KMS key in AWS Key Management Service (AWS KMS).