Skip to content

Resource: awsKmsKey

Manages a single-Region or multi-Region primary KMS key.

\~> NOTE on KMS Key Policy: KMS Key Policy can be configured in either the standalone resource awsKmsKeyPolicy or with the parameter policy in this resource. Configuring with both will cause inconsistencies and may overwrite configuration.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.kmsKey.KmsKey(this, "a", {
  deletionWindowInDays: 10,
  description: "KMS key 1",
});

Argument Reference

The following arguments are supported:

  • description - (Optional) The description of the key as viewed in AWS console.
  • keyUsage - (Optional) Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
  • customKeyStoreId - (Optional) ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
  • customerMasterKeySpec - (Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
  • policy - (Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an awsIamPolicyDocument, in the form that designates a principal, can be used. For more information about building policy documents with Terraform, see the AWS IAM Policy Document Guide.

\~> NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

  • bypassPolicyLockoutSafetyCheck - (Optional) A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
  • deletionWindowInDays - (Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
  • isEnabled - (Optional) Specifies whether the key is enabled. Defaults to true.
  • enableKeyRotation - (Optional) Specifies whether key rotation is enabled. Defaults to false.
  • multiRegion - (Optional) Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
  • tags - (Optional) A map of tags to assign to the object. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The Amazon Resource Name (ARN) of the key.
  • keyId - The globally unique identifier for the key.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

KMS Keys can be imported using the id, e.g.,

$ terraform import aws_kms_key.a 1234abcd-12ab-34cd-56ef-1234567890ab