@aws-cdk/kms

AWS KMS Construct Library

Defines a KMS key:

new EncryptionKey(this, 'MyKey', {
    enableKeyRotation: true
});

Add a couple of aliases:

const key = new EncryptionKey(this, 'MyKey');
key.addAlias('alias/foo');
key.addAlias('alias/bar');

Importing and exporting keys

To use a KMS key that is not defined within this stack, use the EncryptionKey.import(parent, name, ref) factory method:

const key = EncryptionKey.import(this, 'MyImportedKey', {
    keyArn: new KeyArn('arn:aws:...')
});

// you can do stuff with this imported key.
key.addAlias('alias/foo');

To export a key from a stack and import it in another stack, use key.export which returns an EncryptionKeyRef, which can later be used to import:

// in stackA
const myKey = new EncryptionKey(stackA, 'MyKey');
const myKeyRef = myKey.export();

// meanwhile in stackB
const myKeyImported = EncryptionKey.import(stackB, 'MyKeyImported', myKeyRef);

Note that a call to .addToPolicy(statement) on myKeyImported will not have an affect on the key’s policy because it is not owned by your stack. The call will be a no-op.

Reference

AliasName

class _aws-cdk_kms.AliasName([valueOrFunction])
Extends:Token
Parameters:valueOrFunction (any or None) –

EncryptionKey

class _aws-cdk_kms.EncryptionKey(parent, name[, props])

Definews a KMS key.

Extends:

EncryptionKeyRef

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (EncryptionKeyProps or None) –
keyArn

The ARN of the key.

Type:KeyArn (readonly)
policy

Optional policy document that represents the resource policy of this key. If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.

Type:PolicyDocument or None (readonly)

EncryptionKeyAlias

class _aws-cdk_kms.EncryptionKeyAlias(parent, name, props)

Defines a display name for a customer master key (CMK) in AWS Key Management Service (AWS KMS). Using an alias to refer to a key can help you simplify key management. For example, when rotating keys, you can just update the alias mapping instead of tracking and changing key IDs. For more information, see Working with Aliases in the AWS Key Management Service Developer Guide. You can also add an alias for a key by calling key.addAlias(alias).

Extends:

Construct

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (EncryptionKeyAliasProps) –
aliasName

The name of the alias.

Type:AliasName

EncryptionKeyAliasProps (interface)

class _aws-cdk_kms.EncryptionKeyAliasProps
alias

The name of the alias. The name must start with alias followed by a forward slash, such as alias/. You can’t specify aliases that begin with alias/AWS. These aliases are reserved.

Type:string
key

The ID of the key for which you are creating the alias. Specify the key’s globally unique identifier or Amazon Resource Name (ARN). You can’t specify another alias.

Type:EncryptionKeyRef

EncryptionKeyProps (interface)

class _aws-cdk_kms.EncryptionKeyProps

Construction properties for a KMS Key object

description

A description of the key. Use a description that helps your users decide whether the key is appropriate for a particular task.

Type:string or None
enableKeyRotation

Indicates whether AWS KMS rotates the key.

Type:boolean or None
enabled

Indicates whether the key is available for use.

Type:boolean or None
policy

Custom policy document to attach to the KMS key.

Type:PolicyDocument or None

EncryptionKeyRef

class _aws-cdk_kms.EncryptionKeyRef(parent, name)
Extends:

Construct

Abstract:

Yes

Parameters:
  • parent (Construct) – The parent construct
  • name (string) –
static import(parent, name, props) → @aws-cdk/kms.EncryptionKeyRef

Defines an imported encryption key. ref can be obtained either via a call to key.export() or using literals. For example: const keyRefProps = key.export(); const keyRef1 = EncryptionKeyRef.import(this, ‘MyImportedKey1’, keyRefProps); const keyRef2 = EncryptionKeyRef.import(this, ‘MyImportedKey2’, { keyArn: new KeyArn(‘arn:aws:kms:…’) });

Parameters:
  • parent (Construct) – The parent construct.
  • name (string) – The name of the construct.
  • props (EncryptionKeyRefProps) – The key reference.
Return type:

EncryptionKeyRef

addAlias(alias) → @aws-cdk/kms.EncryptionKeyAlias

Defines a new alias for the key.

Parameters:alias (string) –
Return type:EncryptionKeyAlias
addToResourcePolicy(statement)

Adds a statement to the KMS key resource policy.

Parameters:statement (PolicyStatement) –
export() → @aws-cdk/kms.EncryptionKeyRefProps

Exports this key from the current stack.

Returns:a key ref which can be used in a call to EncryptionKey.import(ref).
Return type:EncryptionKeyRefProps
keyArn

The ARN of the key.

Type:KeyArn (readonly) (abstract)
policy

Optional policy document that represents the resource policy of this key. If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.

Type:PolicyDocument or None (readonly) (abstract)

EncryptionKeyRefProps (interface)

class _aws-cdk_kms.EncryptionKeyRefProps
keyArn

The ARN of the external KMS key.

Type:KeyArn