keyUsage

Determines the cryptographic operations for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT`. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the `KeyUsage` value after the KMS key is created. If you change the value of the `KeyUsage` property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value.

• For symmetric encryption KMS keys, omit the parameter or specify `ENCRYPT_DECRYPT`.

• For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.

• For asymmetric KMS keys with RSA key pairs, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.

• For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.

• For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify `SIGN_VERIFY`.

• For asymmetric KMS keys with SM2 key pairs (China Regions only), specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.