aws-sdk

{ "version": "1.0", "examples": { "CancelKeyDeletion": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "comments": { "input": { "KeyId": "The identifier of the KMS key whose deletion you are canceling. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key." }, "output": { "KeyId": "The ARN of the KMS key whose deletion you canceled." } }, "description": "The following example cancels deletion of the specified KMS key.", "id": "to-cancel-deletion-of-a-cmk-1477428535102", "title": "To cancel deletion of a KMS key" } ], "ConnectCustomKeyStore": [ { "input": { "CustomKeyStoreId": "cks-1234567890abcdef0" }, "output": { }, "comments": { "input": { "CustomKeyStoreId": "The ID of the AWS KMS custom key store." }, "output": { } }, "description": "This example connects an AWS KMS custom key store to its backing key store. For an AWS CloudHSM key store, it connects the key store to its AWS CloudHSM cluster. For an external key store, it connects the key store to the external key store proxy that communicates with your external key manager. This operation does not return any data. To verify that the custom key store is connected, use the <code>DescribeCustomKeyStores</code> operation.", "id": "to-connect-a-custom-key-store-1628626947750", "title": "To connect a custom key store" } ], "CreateAlias": [ { "input": { "AliasName": "alias/ExampleAlias", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "comments": { "input": { "AliasName": "The alias to create. Aliases must begin with 'alias/'. Do not use aliases that begin with 'alias/aws' because they are reserved for use by AWS.", "TargetKeyId": "The identifier of the KMS key whose alias you are creating. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key." } }, "description": "The following example creates an alias for the specified KMS key.", "id": "to-create-an-alias-1477505685119", "title": "To create an alias" } ], "CreateCustomKeyStore": [ { "input": { "CloudHsmClusterId": "cluster-234abcdefABC", "CustomKeyStoreName": "ExampleKeyStore", "KeyStorePassword": "kmsPswd", "TrustAnchorCertificate": "<certificate-goes-here>" }, "output": { "CustomKeyStoreId": "cks-1234567890abcdef0" }, "comments": { "input": { "CloudHsmClusterId": "The ID of the CloudHSM cluster.", "CustomKeyStoreName": "A friendly name for the custom key store.", "KeyStorePassword": "The password for the kmsuser CU account in the specified cluster.", "TrustAnchorCertificate": "The content of the customerCA.crt file that you created when you initialized the cluster." }, "output": { "CustomKeyStoreId": "The ID of the new custom key store." } }, "description": "This example creates a custom key store that is associated with an AWS CloudHSM cluster.", "id": "to-create-an-aws-cloudhsm-custom-key-store-1", "title": "To create an AWS CloudHSM key store" }, { "input": { "CustomKeyStoreName": "ExampleVPCEndpointKeyStore", "CustomKeyStoreType": "EXTERNAL_KEY_STORE", "XksProxyAuthenticationCredential": { "AccessKeyId": "ABCDE12345670EXAMPLE", "RawSecretAccessKey": "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo=" }, "XksProxyConnectivity": "VPC_ENDPOINT_SERVICE", "XksProxyUriEndpoint": "https://myproxy-private.xks.example.com", "XksProxyUriPath": "/example-prefix/kms/xks/v1", "XksProxyVpcEndpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-example1" }, "output": { "CustomKeyStoreId": "cks-1234567890abcdef0" }, "comments": { "input": { "CustomKeyStoreName": "A friendly name for the custom key store", "CustomKeyStoreType": "For external key stores, the value must be EXTERNAL_KEY_STORE", "XksProxyAuthenticationCredential": "The access key ID and secret access key that KMS uses to authenticate to your external key store proxy", "XksProxyConnectivity": "Indicates how AWS KMS communicates with the external key store proxy", "XksProxyUriEndpoint": "The URI that AWS KMS uses to connect to the external key store proxy", "XksProxyUriPath": "The URI path to the external key store proxy APIs", "XksProxyVpcEndpointServiceName": "The VPC endpoint service that KMS uses to communicate with the external key store proxy" }, "output": { "CustomKeyStoreId": "The ID of the new custom key store." } }, "description": "This example creates an external key store that uses an Amazon VPC endpoint service to communicate with AWS KMS.", "id": "to-create-an-external-custom-key-store-with-vpc-connectivity-2", "title": "To create an external key store with VPC endpoint service connectivity" }, { "input": { "CustomKeyStoreName": "ExamplePublicEndpointKeyStore", "CustomKeyStoreType": "EXTERNAL_KEY_STORE", "XksProxyAuthenticationCredential": { "AccessKeyId": "ABCDE12345670EXAMPLE", "RawSecretAccessKey": "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo=" }, "XksProxyConnectivity": "PUBLIC_ENDPOINT", "XksProxyUriEndpoint": "https://myproxy.xks.example.com", "XksProxyUriPath": "/kms/xks/v1" }, "output": { "CustomKeyStoreId": "cks-987654321abcdef0" }, "comments": { "input": { "CustomKeyStoreName": "A friendly name for the custom key store", "CustomKeyStoreType": "For external key stores, the value must be EXTERNAL_KEY_STORE", "XksProxyAuthenticationCredential": "The access key ID and secret access key that KMS uses to authenticate to your external key store proxy", "XksProxyConnectivity": "Indicates how AWS KMS communicates with the external key store proxy", "XksProxyUriEndpoint": "The URI that AWS KMS uses to connect to the external key store proxy", "XksProxyUriPath": "The URI path to your external key store proxy API" }, "output": { "CustomKeyStoreId": "The ID of the new custom key store." } }, "description": "This example creates an external key store with public endpoint connectivity.", "id": "to-create-an-external-custom-key-store-with-a-public-endpoint-3", "title": "To create an external key store with public endpoint connectivity" } ], "CreateGrant": [ { "input": { "GranteePrincipal": "arn:aws:iam::111122223333:role/ExampleRole", "KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Operations": [ "Encrypt", "Decrypt" ] }, "output": { "GrantId": "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60", "GrantToken": "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW__MSrqnre1HIN0Grt00ViSSuUjhqOC8OT3YAAADfMIHcBgkqhkiG9w0BBwaggc4wgcsCAQAwgcUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmqLyBTAegIn9XlK5AgEQgIGXZQjkBcl1dykDdqZBUQ6L1OfUivQy7JVYO2-ZJP7m6f1g8GzV47HX5phdtONAP7K_HQIflcgpkoCqd_fUnE114mSmiagWkbQ5sqAVV3ov-VeqgrvMe5ZFEWLMSluvBAqdjHEdMIkHMlhlj4ENZbzBfo9Wxk8b8SnwP4kc4gGivedzFXo-dwN8fxjjq_ZZ9JFOj2ijIbj5FyogDCN0drOfi8RORSEuCEmPvjFRMFAwcmwFkN2NPp89amA" }, "comments": { "input": { "GranteePrincipal": "The identity that is given permission to perform the operations specified in the grant.", "KeyId": "The identifier of the KMS key to which the grant applies. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.", "Operations": "A list of operations that the grant allows." }, "output": { "GrantId": "The unique identifier of the grant.", "GrantToken": "The grant token." } }, "description": "The following example creates a grant that allows the specified IAM role to encrypt data with the specified KMS key.", "id": "to-create-a-grant-1477972226782", "title": "To create a grant" } ], "CreateKey": [ { "input": { }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2017-07-05T14:04:55-07:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_KMS" } }, "comments": { "input": { "Tags": "One or more tags. Each tag consists of a tag key and a tag value." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "The following example creates a symmetric KMS key for encryption and decryption. No parameters are required for this operation.", "id": "to-create-a-cmk-1", "title": "To create a KMS key" }, { "input": { "KeySpec": "RSA_4096", "KeyUsage": "ENCRYPT_DECRYPT" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2021-04-05T14:04:55-07:00", "CustomerMasterKeySpec": "RSA_4096", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "RSA_4096", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_KMS" } }, "comments": { "input": { "KeySpec": "Describes the type of key material in the KMS key.", "KeyUsage": "The cryptographic operations for which you can use the KMS key." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a KMS key that contains an asymmetric RSA key pair for encryption and decryption. The key spec and key usage can't be changed after the key is created.", "id": "to-create-an-asymmetric-rsa-kms-key-for-encryption-and-decryption-2", "title": "To create an asymmetric RSA KMS key for encryption and decryption" }, { "input": { "KeySpec": "ECC_NIST_P521", "KeyUsage": "SIGN_VERIFY" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2019-12-02T07:48:55-07:00", "CustomerMasterKeySpec": "ECC_NIST_P521", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "ECC_NIST_P521", "KeyState": "Enabled", "KeyUsage": "SIGN_VERIFY", "MultiRegion": false, "Origin": "AWS_KMS", "SigningAlgorithms": [ "ECDSA_SHA_512" ] } }, "comments": { "input": { "KeySpec": "Describes the type of key material in the KMS key.", "KeyUsage": "The cryptographic operations for which you can use the KMS key." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key pair for signing and verification. The key usage is required even though \"SIGN_VERIFY\" is the only valid value for ECC KMS keys. The key spec and key usage can't be changed after the key is created.", "id": "to-create-an-asymmetric-elliptic-curve-kms-key-for-signing-and-verification-3", "title": "To create an asymmetric elliptic curve KMS key for signing and verification" }, { "input": { "KeySpec": "HMAC_384", "KeyUsage": "GENERATE_VERIFY_MAC" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2022-04-05T14:04:55-07:00", "CustomerMasterKeySpec": "HMAC_384", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "HMAC_384", "KeyState": "Enabled", "KeyUsage": "GENERATE_VERIFY_MAC", "MacAlgorithms": [ "HMAC_SHA_384" ], "MultiRegion": false, "Origin": "AWS_KMS" } }, "comments": { "input": { "KeySpec": "Describes the type of key material in the KMS key.", "KeyUsage": "The cryptographic operations for which you can use the KMS key." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a 384-bit symmetric HMAC KMS key. The GENERATE_VERIFY_MAC key usage value is required even though it's the only valid value for HMAC KMS keys. The key spec and key usage can't be changed after the key is created.", "id": "to-create-an-hmac-kms-key-1630628752841", "title": "To create an HMAC KMS key" }, { "input": { "MultiRegion": true }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", "CreationDate": "2021-09-02T016:15:21-09:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "mrk-1234abcd12ab34cd56ef12345678990ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", "Region": "us-west-2" }, "ReplicaKeys": [ ] }, "Origin": "AWS_KMS" } }, "comments": { "input": { "MultiRegion": "Indicates whether the KMS key is a multi-Region (True) or regional (False) key." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a multi-Region primary symmetric encryption key. Because the default values for all parameters create a symmetric encryption key, only the MultiRegion parameter is required for this KMS key.", "id": "to-create-a-multi-region-primary-kms-key-4", "title": "To create a multi-Region primary KMS key" }, { "input": { "Origin": "EXTERNAL" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2019-12-02T07:48:55-07:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": false, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "PendingImport", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "EXTERNAL" } }, "comments": { "input": { "Origin": "The source of the key material for the KMS key." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.", "id": "to-create-a-kms-key-for-imported-key-material-5", "title": "To create a KMS key for imported key material" }, { "input": { "CustomKeyStoreId": "cks-1234567890abcdef0", "Origin": "AWS_CLOUDHSM" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CloudHsmClusterId": "cluster-234abcdefABC", "CreationDate": "2019-12-02T07:48:55-07:00", "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_CLOUDHSM" } }, "comments": { "input": { "CustomKeyStoreId": "Identifies the custom key store that hosts the KMS key.", "Origin": "Indicates the source of the key material for the KMS key." }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a KMS key in the specified AWS CloudHSM key store. The operation creates the KMS key and its metadata in AWS KMS and creates the key material in the AWS CloudHSM cluster associated with the custom key store. This example requires the CustomKeyStoreId and Origin parameters.", "id": "to-create-a-kms-key-in-an-aws-cloudhsm-custom-key-store-6", "title": "To create a KMS key in an AWS CloudHSM key store" }, { "input": { "CustomKeyStoreId": "cks-9876543210fedcba9", "Origin": "EXTERNAL_KEY_STORE", "XksKeyId": "bb8562717f809024" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": "2022-02-02T07:48:55-07:00", "CustomKeyStoreId": "cks-9876543210fedcba9", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "EXTERNAL_KEY_STORE", "XksKeyConfiguration": { "Id": "bb8562717f809024" } } }, "comments": { "input": { "CustomKeyStoreId": "Identifies the custom key store that hosts the KMS key.", "Origin": "Indicates the source of the key material for the KMS key.", "XksKeyId": "Identifies the encryption key in your external key manager that is associated with the KMS key" }, "output": { "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, "description": "This example creates a KMS key in the specified external key store. It uses the XksKeyId parameter to associate the KMS key with an existing symmetric encryption key in your external key manager. This CustomKeyStoreId, Origin, and XksKeyId parameters are required in this operation.", "id": "to-create-a-kms-key-in-an-external-custom-key-store-7", "title": "To create a KMS key in an external key store" } ], "Decrypt": [ { "input": { "CiphertextBlob": "<binary data>", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "EncryptionAlgorithm": "SYMMETRIC_DEFAULT", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Plaintext": "<binary data>" }, "comments": { "input": { "CiphertextBlob": "The encrypted data (ciphertext).", "KeyId": "A key identifier for the KMS key to use to decrypt the data." }, "output": { "EncryptionAlgorithm": "The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS.", "KeyId": "The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.", "Plaintext": "The decrypted (plaintext) data." } }, "description": "The following example decrypts data that was encrypted with a symmetric encryption KMS key. The KeyId is not required when decrypting with a symmetric encryption key, but it is a best practice.", "id": "to-decrypt-data-1", "title": "To decrypt data with a symmetric encryption KMS key" }, { "input": { "CiphertextBlob": "<binary data>", "EncryptionAlgorithm": "RSAES_OAEP_SHA_256", "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, "output": { "EncryptionAlgorithm": "RSAES_OAEP_SHA_256", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "Plaintext": "<binary data>" }, "comments": { "input": { "CiphertextBlob": "The encrypted data (ciphertext).", "EncryptionAlgorithm": "The encryption algorithm that was used to encrypt the data. This parameter is required to decrypt with an asymmetric KMS key.", "KeyId": "A key identifier for the KMS key to use to decrypt the data. This parameter is required to decrypt with an asymmetric KMS key." }, "output": { "EncryptionAlgorithm": "The encryption algorithm that was used to decrypt the ciphertext.", "KeyId": "The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.", "Plaintext": "The decrypted (plaintext) data." } }, "description": "The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.", "id": "to-decrypt-data-2", "title": "To decrypt data with an asymmetric encryption KMS key" }, { "input": { "CiphertextBlob": "<binary data>", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Recipient": { "AttestationDocument": "<attestation document>", "KeyEncryptionAlgorithm": "RSAES_OAEP_SHA_256" } }, "output": { "CiphertextForRecipient": "<binary data>", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Plaintext": "" }, "comments": { "input": { "CiphertextBlob": "The encrypted data. This ciphertext was encrypted with the KMS key", "KeyId": "The KMS key to use to decrypt the ciphertext", "Recipient": "Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document" }, "output": { "CiphertextForRecipient": "The decrypted CiphertextBlob encrypted with the public key from the attestation document", "KeyId": "The KMS key that was used to decrypt the encrypted data (CiphertextBlob)", "Plaintext": "This field is null or empty" } }, "description": "The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data encrypted by the public key from the attestation document (CiphertextForRecipient).", "id": "to-decrypt-data-for-a-nitro-enclave-2", "title": "To decrypt data for a Nitro enclave" } ], "DeleteAlias": [ { "input": { "AliasName": "alias/ExampleAlias" }, "comments": { "input": { "AliasName": "The alias to delete." } }, "description": "The following example deletes the specified alias.", "id": "to-delete-an-alias-1478285209338", "title": "To delete an alias" } ], "DeleteCustomKeyStore": [ { "input": { "CustomKeyStoreId": "cks-1234567890abcdef0" }, "output": { }, "comments": { "input": { "CustomKeyStoreId": "The ID of the custom key store to be deleted." }, "output": { } }, "description": "This example deletes a custom key store from AWS KMS. This operation does not affect the backing key store, such as a CloudHSM cluster, external key store proxy, or your external key manager. This operation doesn't return any data. To verify that the operation was successful, use the DescribeCustomKeyStores operation.", "id": "to-delete-a-custom-key-store-from-aws-kms-1628630837145", "title": "To delete a custom key store from AWS KMS" } ], "DeleteImportedKeyMaterial": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "comments": { "input": { "KeyId": "The identifier of the KMS key whose imported key material you are deleting. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key." } }, "description": "The following example deletes the imported key material from the specified KMS key.", "id": "to-delete-imported-key-material-1478561674507", "title": "To delete imported key material" } ], "DeriveSharedSecret": [ { "input": { "KeyAgreementAlgorithm": "ECDH", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag" }, "output": { "KeyAgreementAlgorithm": "ECDH", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyOrigin": "AWS_KMS", "SharedSecret": "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG" }, "comments": { "input": { "KeyAgreementAlgorithm": "The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.", "KeyId": "The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.", "PublicKey": "The public key in your peer's asymmetric key pair." }, "output": { "KeyAgreementAlgorithm": "The key agreement algorithm used to derive the shared secret.", "KeyId": "The asymmetric KMS key pair used to derive the shared secret.", "KeyOrigin": "The source of the key material for the specified KMS key.", "SharedSecret": "The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key." } }, "description": "The following example derives a shared secret using a key agreement algorithm.", "id": "to-derive-a-shared-secret-1718381818754", "title": "To derive a shared secret" } ], "DescribeCustomKeyStores": [ { "input": { }, "output": { "CustomKeyStores": [ ] }, "comments": { "input": { }, "output": { "CustomKeyStores": "Details about each custom key store in the account and Region." } }, "description": "This example gets detailed information about all AWS KMS custom key stores in an AWS account and Region. To get all key stores, do not enter a custom key store name or ID.", "id": "to-get-detailed-information-about-custom-key-stores-in-the-account-and-region-1", "title": "To get detailed information about custom key stores in the account and Region" }, { "input": { "CustomKeyStoreName": "ExampleKeyStore" }, "output": { "CustomKeyStores": [ { "CloudHsmClusterId": "cluster-234abcdefABC", "ConnectionState": "CONNECTED", "CreationDate": "1.499288695918E9", "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CustomKeyStoreType": "AWS_CLOUDHSM", "TrustAnchorCertificate": "<certificate appears here>" } ] }, "comments": { "input": { "CustomKeyStoreName": "The friendly name of the custom key store." }, "output": { "CustomKeyStores": "Detailed information about the specified custom key store." } }, "description": "This example gets detailed information about a particular AWS CloudHSM key store by specifying its friendly name. To limit the output to a particular custom key store, provide either the custom key store name or ID.", "id": "to-get-detailed-information-about-a-cloudhsm-custom-key-store-by-name-2", "title": "To get detailed information about an AWS CloudHSM key store by specifying its friendly name" }, { "input": { "CustomKeyStoreId": "cks-9876543210fedcba9" }, "output": { "CustomKeyStores": [ { "ConnectionState": "CONNECTED", "CreationDate": "1.599288695918E9", "CustomKeyStoreId": "cks-9876543210fedcba9", "CustomKeyStoreName": "ExampleExternalKeyStore", "CustomKeyStoreType": "EXTERNAL_KEY_STORE", "XksProxyConfiguration": { "AccessKeyId": "ABCDE12345670EXAMPLE", "Connectivity": "PUBLIC_ENDPOINT", "UriEndpoint": "https://myproxy.xks.example.com", "UriPath": "/kms/xks/v1" } } ] }, "comments": { "input": { "CustomKeyStoreId": "The ID of the custom key store." }, "output": { "CustomKeyStores": "Detailed information about the specified custom key store." } }, "description": "This example gets detailed information about an external key store by specifying its ID. The example external key store proxy uses public endpoint connectivity.", "id": "to-get-detailed-information-about-an-external-key-store--3", "title": "To get detailed information about an external key store by specifying its ID" }, { "input": { "CustomKeyStoreName": "VPCExternalKeystore" }, "output": { "CustomKeyStores": [ { "ConnectionState": "CONNECTED", "CreationDate": "1.643057863.842", "CustomKeyStoreId": "cks-876543210fedcba98", "CustomKeyStoreName": "ExampleVPCExternalKeyStore", "CustomKeyStoreType": "EXTERNAL_KEY_STORE", "XksProxyConfiguration": { "AccessKeyId": "ABCDE12345670EXAMPLE", "Connectivity": "VPC_ENDPOINT_SERVICE", "UriEndpoint": "https://myproxy-private.xks.example.com", "UriPath": "/example-prefix/kms/xks/v1", "VpcEndpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-example1" } } ] }, "comments": { "input": { "CustomKeyStoreId": "The ID of the custom key store." }, "output": { "CustomKeyStores": "Detailed information about the specified custom key store." } }, "description": "This example gets detailed information about a particular external key store by specifying its friendly name. To limit the output to a particular custom key store, provide either the custom key store name or ID. The proxy URI path for this external key store includes an optional prefix. Also, because this example external key store uses VPC endpoint connectivity, the response includes the associated VPC endpoint service name.", "id": "to-get-detailed-information-about-an-external-custom-key-store-by-name-4", "title": "To get detailed information about an external key store VPC endpoint connectivity by specifying its friendly name" } ], "DescribeKey": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2017-07-05T14:04:55-07:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_KMS" } }, "comments": { "input": { "KeyId": "An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key." }, "output": { "KeyMetadata": "An object that contains information about the specified KMS key." } }, "description": "The following example gets metadata for a symmetric encryption KMS key.", "id": "get-key-details-1", "title": "To get details about a KMS key" }, { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1571767572.317, "CustomerMasterKeySpec": "RSA_2048", "Description": "", "Enabled": false, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "RSA_2048", "KeyState": "Disabled", "KeyUsage": "SIGN_VERIFY", "MultiRegion": false, "Origin": "AWS_KMS", "SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512" ] } }, "comments": { "input": { "KeyId": "An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key." }, "output": { "KeyMetadata": "An object that contains information about the specified KMS key." } }, "description": "The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.", "id": "to-get-details-about-an-rsa-asymmetric-kms-key-2", "title": "To get details about an RSA asymmetric KMS key" }, { "input": { "KeyId": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab" }, "output": { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "CreationDate": 1586329200.918, "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-west-2" }, "ReplicaKeys": [ { "Arn": "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "eu-west-1" }, { "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "ap-northeast-1" }, { "Arn": "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "sa-east-1" } ] }, "Origin": "AWS_KMS" } }, "comments": { "input": { "KeyId": "An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key." }, "output": { "KeyMetadata": "An object that contains information about the specified KMS key." } }, "description": "The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key. DescribeKey returns information about the primary key and all of its replicas.", "id": "to-get-details-about-a-multi-region-key-3", "title": "To get details about a multi-Region key" }, { "input": { "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "KeyMetadata": { "AWSAccountId": "123456789012", "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1566160362.664, "CustomerMasterKeySpec": "HMAC_256", "Description": "Development test key", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "GENERATE_VERIFY_MAC", "MacAlgorithms": [ "HMAC_SHA_256" ], "MultiRegion": false, "Origin": "AWS_KMS" } }, "comments": { "input": { "KeyId": "An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key." }, "output": { "KeyMetadata": "An object that contains information about the specified KMS key." } }, "description": "The following example gets the metadata of an HMAC KMS key.", "id": "to-get-details-about-an-hmac-kms-key-4", "title": "To get details about an HMAC KMS key" }, { "input": { "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "KeyMetadata": { "AWSAccountId": "123456789012", "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CloudHsmClusterId": "cluster-234abcdefABC", "CreationDate": 1646160362.664, "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "CloudHSM key store test key", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_CLOUDHSM" } }, "comments": { "input": { "KeyId": "An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key." }, "output": { "KeyMetadata": "An object that contains information about the specified KMS key." } }, "description": "The following example gets the metadata of a KMS key in an AWS CloudHSM key store.", "id": "to-get-details-about-a-kms-key-in-an-AWS-CloudHSM-key-store-5", "title": "To get details about a KMS key in an AWS CloudHSM key store" }, { "input": { "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "output": { "KeyMetadata": { "AWSAccountId": "123456789012", "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1646160362.664, "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "External key store test key", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "EXTERNAL_KEY_STORE", "XksKeyConfiguration": { "Id": "bb8562717f809024" } } }, "comments": { "input": { "KeyId": "An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key." }, "output": { "KeyMetadata": "An object that contains information about the specified KMS key." } }, "description": "The following example gets the metadata of a KMS key in an external key store.", "id": "to-get-details-about-a-kms-key-in-an-external-key-store-6", "title": "To get details about a KMS key in an external key store" } ], "DisableKey": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "comments": { "input": { "KeyId": "The identifier of the KMS key to disable. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key." } }, "description": "The following example disables the specified KMS key.", "id": "to-disable-a-cmk-1478566583659", "title": "To disable a KMS key" } ], "DisableKeyRotation": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "comments": { "input": { "KeyId": "The identifier of the KMS key whose key material will no longer be rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key." } }, "description": "The following example disables automatic annual rotation of the key material for the specified KMS key.", "id": "to-disable-automatic-rotation-of-key-material-1478624396092", "title": "To disable automatic rotation of key material" } ], "DisconnectCustomKeyStore": [ { "input": { "CustomKeyStoreId": "cks-1234567890abcdef0" }, "output": { }, "comments": { "input": { "CustomKeyStoreId": "The ID of the custom key store." }, "output": { } }, "description": "This example disconnects an AWS KMS custom key store from its backing key store. For an AWS CloudHSM key store, it disconnects the key store from its AWS CloudHSM cluster. For an external key store, it disconnects the key store from the external key store proxy that communicates with your external key manager. This operation doesn't return any data. To verify that the custom key store is disconnected, use the <code>DescribeCustomKeyStores</code> operation.", "id": "to-disconnect-a-custom-key-store-from-its-cloudhsm-cluster-234abcdefABC", "title": "To disconnect a custom key store from its CloudHSM cluster" } ], "EnableKey": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "comments": { "input": { "KeyId": "The identifier of the KMS key to enable. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key." } }, "description": "The following example enables the specified KMS key.", "id": "to-enable-a-cmk-1478627501129", "title": "To enable a KMS key" } ], "EnableKeyRotation": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "RotationPeriodInDays": 365 }, "comments": { "input": { "KeyId": "The identifier of the KMS key whose key material will be automatically rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.", "RotationPeriodInDays": "The number of days between each rotation date. Specify a value between 9 and 2560. If no value is specified, the default value is 365 days." } }, "description": "The following example enables automatic rotation with a rotation period of 365 days for the specified KMS key.", "id": "to-enable-automatic-rotation-of-key-material-1712499675853", "title": "To enable automatic rotation of key material" } ], "Encrypt": [ { "input": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Plaintext": "<binary data>" }, "output": { "CiphertextBlob": "<binary data>", "EncryptionAlgorithm": "SYMMETRIC_DEFAULT", "KeyId": "arn: