2018/11/27 - AWS Key Management Service - 6 new 3 updated api methods
Changes AWS Key Management Service (KMS) now enables customers to create and manage dedicated, single-tenant key stores in addition to the default KMS key store. These are known as custom key stores and are deployed using AWS CloudHSM clusters. Keys that are created in a KMS custom key store can be used like any other customer master key in KMS.
Deletes a custom key store . This operation does not delete the AWS CloudHSM cluster that is associated with the custom key store, or affect any users or keys in the cluster.
The custom key store that you delete cannot contain any AWS KMS customer master keys (CMKs) . Before deleting the key store, verify that you will never need to use any of the CMKs in the key store for any cryptographic operations. Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs) from the key store. When the scheduled waiting period expires, the ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort to delete the key material from the associated cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.
After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect the key store from AWS KMS. Then, you can delete the custom key store.
Instead of deleting the custom key store, consider using DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key store is disconnected, you cannot create or use the CMKs in the key store. But, you do not need to delete CMKs and you can reconnect a disconnected custom key store at any time.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
See also: AWS API Documentation
Request Syntax
client.delete_custom_key_store( CustomKeyStoreId='string' )
string
[REQUIRED]
Enter the ID of the custom key store you want to delete. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
dict
Response Syntax
{}
Response Structure
(dict) --
Creates a custom key store that is associated with an AWS CloudHSM cluster that you own and manage.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to its AWS CloudHSM cluster.
The CreateCustomKeyStore operation requires the following elements.
You must specify an active AWS CloudHSM cluster in the same account and AWS Region as the custom key store. You can use an existing cluster or create and activate a new AWS CloudHSM cluster for the key store. AWS KMS does not require exclusive use of the cluster.
You must include the content of the trust anchor certificate for the cluster. You created this certificate, and saved it in the customerCA.crt file, when you initialized the cluster .
You must provide the password of the dedicated ` kmsuser crypto user <http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser>`__ (CU) account in the cluster. Before you create the custom key store, use the createUser command in cloudhsm_mgmt_util to create a crypto user (CU) named ``kmsuser` http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser`__ in specified AWS CloudHSM cluster. AWS KMS uses the kmsuser CU account to create and manage key material on your behalf. For instructions, see Create the kmsuser Crypto User in the AWS Key Management Service Developer Guide .
The AWS CloudHSM cluster that you specify must meet the following requirements.
The cluster must be active and be in the same AWS account and Region as the custom key store.
Each custom key store must be associated with a different AWS CloudHSM cluster. The cluster cannot be associated with another custom key store or have the same cluster certificate as a cluster that is associated with another custom key store. To view the cluster certificate, use the AWS CloudHSM DescribeClusters operation. Clusters that share a backup history have the same cluster certificate.
The cluster must be configured with subnets in at least two different Availability Zones in the Region. Because AWS CloudHSM is not supported in all Availability Zones, we recommend that the cluster have subnets in all Availability Zones in the Region.
The cluster must contain at least two active HSMs, each in a different Availability Zone.
New custom key stores are not automatically connected. After you create your custom key store, use the ConnectCustomKeyStore operation to connect the custom key store to its associated AWS CloudHSM cluster. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
If this operation succeeds, it returns the ID of the new custom key store. For help with failures, see Troubleshoot a Custom Key Store in the AWS KMS Developer Guide .
See also: AWS API Documentation
Request Syntax
client.create_custom_key_store( CustomKeyStoreName='string', CloudHsmClusterId='string', TrustAnchorCertificate='string', KeyStorePassword='string' )
string
[REQUIRED]
Specifies a friendly name for the custom key store. The name must be unique in your AWS account.
string
[REQUIRED]
Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster ID of any active AWS CloudHSM cluster that is not already associated with a custom key store. To find the cluster ID, use the DescribeClusters operation.
string
[REQUIRED]
Enter the content of the trust anchor certificate for the cluster. This is the content of the customerCA.crt file that you created when you initialized the cluster .
string
[REQUIRED]
Enter the password of the ` kmsuser crypto user (CU) account <http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser>`__ in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this user to manage key material on your behalf.
This parameter tells AWS KMS the kmsuser account password; it does not change the password in the AWS CloudHSM cluster.
dict
Response Syntax
{ 'CustomKeyStoreId': 'string' }
Response Structure
(dict) --
CustomKeyStoreId (string) --
A unique identifier for the new custom key store.
Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore . To reconnect the custom key store after the update completes, use ConnectCustomKeyStore . To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.
Use the NewCustomKeyStoreName parameter to change the friendly name of the custom key store to the value that you specify.
Use the KeyStorePassword parameter tell AWS KMS the current password of the ` kmsuser crypto user (CU) <http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser>`__ in the associated AWS CloudHSM cluster. You can use this parameter to fix connection failures that occur when AWS KMS cannot log into the associated cluster because the kmsuser password has changed. This value does not change the password in the AWS CloudHSM cluster.
Use the CloudHsmClusterId parameter to associate the custom key store with a related AWS CloudHSM cluster, that is, a cluster that shares a backup history with the original cluster. You can use this parameter to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is deleted, or when you need to create or restore a cluster from a backup.
The cluster ID must identify a AWS CloudHSM cluster with the following requirements.
The cluster must be active and be in the same AWS account and Region as the custom key store.
The cluster must have the same cluster certificate as the original cluster. You cannot use this parameter to associate the custom key store with an unrelated cluster. To view the cluster certificate, use the AWS CloudHSM DescribeClusters operation. Clusters that share a backup history have the same cluster certificate.
The cluster must be configured with subnets in at least two different Availability Zones in the Region. Because AWS CloudHSM is not supported in all Availability Zones, we recommend that the cluster have subnets in all Availability Zones in the Region.
The cluster must contain at least two active HSMs, each in a different Availability Zone.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
See also: AWS API Documentation
Request Syntax
client.update_custom_key_store( CustomKeyStoreId='string', NewCustomKeyStoreName='string', KeyStorePassword='string', CloudHsmClusterId='string' )
string
[REQUIRED]
Identifies the custom key store that you want to update. Enter the ID of the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
string
Changes the friendly name of the custom key store to the value that you specify. The custom key store name must be unique in the AWS account.
string
Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM cluster that is associated with the custom key store.
This parameter tells AWS KMS the current password of the kmsuser crypto user (CU). It does not set or change the password of any users in the AWS CloudHSM cluster.
string
Associates the custom key store with a related AWS CloudHSM cluster.
Enter the cluster ID of the cluster that you used to create the custom key store or a cluster that shares a backup history with the original cluster. You cannot use this parameter to associate a custom key store with a different cluster.
Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.
dict
Response Syntax
{}
Response Structure
(dict) --
Gets information about custom key stores in the account and region.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
By default, this operation returns information about all custom key stores in the account and region. To get only information about a particular custom key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter (but not both).
To determine whether the custom key store is connected to its AWS CloudHSM cluster, use the ConnectionState element in the response. If an attempt to connect the custom key store failed, the ConnectionState value is FAILED and the ConnectionErrorCode element in the response indicates the cause of the failure. For help interpreting the ConnectionErrorCode , see CustomKeyStoresListEntry .
Custom key stores have a DISCONNECTED connection state if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If your custom key store state is CONNECTED but you are having trouble using it, make sure that its associated AWS CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any.
For help repairing your custom key store, see the Troubleshooting Custom Key Stores topic in the AWS Key Management Service Developer Guide .
See also: AWS API Documentation
Request Syntax
client.describe_custom_key_stores( CustomKeyStoreId='string', CustomKeyStoreName='string', Limit=123, Marker='string' )
string
Gets only information about the specified custom key store. Enter the key store ID.
By default, this operation gets information about all custom key stores in the account and region. To limit the output to a particular custom key store, you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, but not both.
string
Gets only information about the specified custom key store. Enter the friendly name of the custom key store.
By default, this operation gets information about all custom key stores in the account and region. To limit the output to a particular custom key store, you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, but not both.
integer
Use this parameter to specify the maximum number of items to return. When this value is present, AWS KMS does not return more than the specified number of items, but it might return fewer.
string
Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextMarker from the truncated response you just received.
dict
Response Syntax
{ 'CustomKeyStores': [ { 'CustomKeyStoreId': 'string', 'CustomKeyStoreName': 'string', 'CloudHsmClusterId': 'string', 'TrustAnchorCertificate': 'string', 'ConnectionState': 'CONNECTED'|'CONNECTING'|'FAILED'|'DISCONNECTED'|'DISCONNECTING', 'ConnectionErrorCode': 'INVALID_CREDENTIALS'|'CLUSTER_NOT_FOUND'|'NETWORK_ERRORS'|'INSUFFICIENT_CLOUDHSM_HSMS'|'USER_LOCKED_OUT', 'CreationDate': datetime(2015, 1, 1) }, ], 'NextMarker': 'string', 'Truncated': True|False }
Response Structure
(dict) --
CustomKeyStores (list) --
Contains metadata about each custom key store.
(dict) --
Contains information about each custom key store in the custom key store list.
CustomKeyStoreId (string) --
A unique identifier for the custom key store.
CustomKeyStoreName (string) --
The user-specified friendly name for the custom key store.
CloudHsmClusterId (string) --
A unique identifier for the AWS CloudHSM cluster that is associated with the custom key store.
TrustAnchorCertificate (string) --
The trust anchor certificate of the associated AWS CloudHSM cluster. When you initialize the cluster , you create this certificate and save it in the customerCA.crt file.
ConnectionState (string) --
Indicates whether the custom key store is connected to its AWS CloudHSM cluster.
You can create and use CMKs in your custom key stores only when its connection state is CONNECTED .
The value is DISCONNECTED if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If the value is CONNECTED but you are having trouble using the custom key store, make sure that its associated AWS CloudHSM cluster is active and contains at least one active HSM.
A value of FAILED indicates that an attempt to connect was unsuccessful. For help resolving a connection failure, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide .
ConnectionErrorCode (string) --
Describes the connection error. Valid values are:
CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID.
INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does not contain any active HSMs. To connect a custom key store to its AWS CloudHSM cluster, the cluster must contain at least one active HSM.
INVALID_CREDENTIALS - AWS KMS does not have the correct password for the kmsuser crypto user in the AWS CloudHSM cluster.
NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting to the custom key store.
USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated AWS CloudHSM cluster due to too many failed password attempts. Before you can connect your custom key store to its AWS CloudHSM cluster, you must change the kmsuser account password and update the password value for the custom key store.
For help with connection failures, see Troubleshooting Custom Key Stores in the AWS Key Management Service Developer Guide .
CreationDate (datetime) --
The date and time when the custom key store was created.
NextMarker (string) --
When Truncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent request.
Truncated (boolean) --
A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in this response to the Marker parameter in a subsequent request.
Disconnects the custom key store from its associated AWS CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key store and its customer master keys (CMKs), but you cannot create or use CMKs in the custom key store. You can reconnect the custom key store at any time.
Note
While a custom key store is disconnected, all attempts to create customer master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the ConnectCustomKeyStore operation.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
See also: AWS API Documentation
Request Syntax
client.disconnect_custom_key_store( CustomKeyStoreId='string' )
string
[REQUIRED]
Enter the ID of the custom key store you want to disconnect. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
dict
Response Syntax
{}
Response Structure
(dict) --
Connects or reconnects a custom key store to its associated AWS CloudHSM cluster.
The custom key store must be connected before you can create customer master keys (CMKs) in the key store or use the CMKs it contains. You can disconnect and reconnect a custom key store at any time.
To connect a custom key store, its associated AWS CloudHSM cluster must have at least one active HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs to the cluster, use the CreateHsm operation.
The connection process can take an extended amount of time to complete; up to 20 minutes. This operation starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the custom key store is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.
During the connection process, AWS KMS finds the AWS CloudHSM cluster that is associated with the custom key store, creates the connection infrastructure, connects to the cluster, logs into the AWS CloudHSM client as the ` kmsuser crypto user <http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser>`__ (CU), and rotates its password.
The ConnectCustomKeyStore operation might fail for various reasons. To find the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode in the response. For help interpreting the ConnectionErrorCode , see CustomKeyStoresListEntry .
To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use ConnectCustomKeyStore again.
If you are having trouble connecting or disconnecting a custom key store, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide .
See also: AWS API Documentation
Request Syntax
client.connect_custom_key_store( CustomKeyStoreId='string' )
string
[REQUIRED]
Enter the key store ID of the custom key store that you want to connect. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
dict
Response Syntax
{}
Response Structure
(dict) --
{'CustomKeyStoreId': 'string', 'Origin': ['AWS_CLOUDHSM']}Response
{'KeyMetadata': {'CloudHsmClusterId': 'string', 'CustomKeyStoreId': 'string', 'KeyState': ['Unavailable'], 'Origin': ['AWS_CLOUDHSM']}}
Creates a customer master key (CMK) in the caller's AWS account.
You can use a CMK to encrypt small amounts of data (4 KiB or less) directly, but CMKs are more commonly used to encrypt data keys, which are used to encrypt raw data. For more information about data keys and the difference between CMKs and data keys, see the following:
The GenerateDataKey operation
AWS Key Management Service Concepts in the AWS Key Management Service Developer Guide
If you plan to import key material , use the Origin parameter with a value of EXTERNAL to create a CMK with no key material.
To create a CMK in a custom key store , use CustomKeyStoreId parameter to specify the custom key store. You must also use the Origin parameter with a value of AWS_CLOUDHSM . The AWS CloudHSM cluster that is associated with the custom key store must have at least two active HSMs, each in a different Availability Zone in the Region.
You cannot use this operation to create a CMK in a different AWS account.
See also: AWS API Documentation
Request Syntax
client.create_key( Policy='string', Description='string', KeyUsage='ENCRYPT_DECRYPT', Origin='AWS_KMS'|'EXTERNAL'|'AWS_CLOUDHSM', CustomKeyStoreId='string', BypassPolicyLockoutSafetyCheck=True|False, Tags=[ { 'TagKey': 'string', 'TagValue': 'string' }, ] )
string
The key policy to attach to the CMK.
If you provide a key policy, it must meet the following criteria:
If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the principal that is making the CreateKey request to make a subsequent PutKeyPolicy request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide .
Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide .
If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more information, see Default Key Policy in the AWS Key Management Service Developer Guide .
The key policy size limit is 32 kilobytes (32768 bytes).
string
A description of the CMK.
Use a description that helps you decide whether the CMK is appropriate for a task.
string
The intended use of the CMK.
You can use CMKs only for symmetric encryption and decryption.
string
The source of the CMK's key material. You cannot change the origin after you create the CMK.
The default is AWS_KMS , which means AWS KMS creates the key material in its own key store.
When the parameter value is EXTERNAL , AWS KMS creates a CMK without key material so that you can import key material from your existing key management infrastructure. For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide .
When the parameter value is AWS_CLOUDHSM , AWS KMS creates the CMK in a AWS KMS custom key store and creates its key material in the associated AWS CloudHSM cluster. You must also use the CustomKeyStoreId parameter to identify the custom key store.
string
Creates the CMK in the specified custom key store and the key material in its associated AWS CloudHSM cluster. To create a CMK in a custom key store, you must also specify the Origin parameter with a value of AWS_CLOUDHSM . The AWS CloudHSM cluster that is associated with the custom key store must have at least two active HSMs, each in a different Availability Zone in the Region.
To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
The response includes the custom key store ID and the ID of the AWS CloudHSM cluster.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
boolean
A flag to indicate whether to bypass the key policy lockout safety check.
Warning
Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide .
Use this parameter only when you include a policy in the request and you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the CMK.
The default value is false.
list
One or more tags. Each tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag values can be empty (null) strings.
Use this parameter to tag the CMK when it is created. Alternately, you can omit this parameter and instead tag the CMK after it is created using TagResource .
(dict) --
A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag values can be empty (null) strings.
For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictions in the AWS Billing and Cost Management User Guide .
TagKey (string) -- [REQUIRED]
The key of the tag.
TagValue (string) -- [REQUIRED]
The value of the tag.
dict
Response Syntax
{ 'KeyMetadata': { 'AWSAccountId': 'string', 'KeyId': 'string', 'Arn': 'string', 'CreationDate': datetime(2015, 1, 1), 'Enabled': True|False, 'Description': 'string', 'KeyUsage': 'ENCRYPT_DECRYPT', 'KeyState': 'Enabled'|'Disabled'|'PendingDeletion'|'PendingImport'|'Unavailable', 'DeletionDate': datetime(2015, 1, 1), 'ValidTo': datetime(2015, 1, 1), 'Origin': 'AWS_KMS'|'EXTERNAL'|'AWS_CLOUDHSM', 'CustomKeyStoreId': 'string', 'CloudHsmClusterId': 'string', 'ExpirationModel': 'KEY_MATERIAL_EXPIRES'|'KEY_MATERIAL_DOES_NOT_EXPIRE', 'KeyManager': 'AWS'|'CUSTOMER' } }
Response Structure
(dict) --
KeyMetadata (dict) --
Metadata associated with the CMK.
AWSAccountId (string) --
The twelve-digit account ID of the AWS account that owns the CMK.
KeyId (string) --
The globally unique identifier for the CMK.
Arn (string) --
The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management Service (AWS KMS) in the Example ARNs section of the AWS General Reference .
CreationDate (datetime) --
The date and time when the CMK was created.
Enabled (boolean) --
Specifies whether the CMK is enabled. When KeyState is Enabled this value is true, otherwise it is false.
Description (string) --
The description of the CMK.
KeyUsage (string) --
The cryptographic operations for which you can use the CMK. Currently the only allowed value is ENCRYPT_DECRYPT , which means you can use the CMK for the Encrypt and Decrypt operations.
KeyState (string) --
The state of the CMK.
For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide .
DeletionDate (datetime) --
The date and time after which AWS KMS deletes the CMK. This value is present only when KeyState is PendingDeletion .
ValidTo (datetime) --
The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. This value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES , otherwise this value is omitted.
Origin (string) --
The source of the CMK's key material. When this value is AWS_KMS , AWS KMS created the key material. When this value is EXTERNAL , the key material was imported from your existing key management infrastructure or the CMK lacks key material. When this value is AWS_CLOUDHSM , the key material was created in the AWS CloudHSM cluster associated with a custom key store.
CustomKeyStoreId (string) --
A unique identifier for the custom key store that contains the CMK. This value is present only when the CMK is created in a custom key store.
CloudHsmClusterId (string) --
The cluster ID of the AWS CloudHSM cluster that contains the key material for the CMK. When you create a CMK in a custom key store , AWS KMS creates the key material for the CMK in the associated AWS CloudHSM cluster. This value is present only when the CMK is created in a custom key store.
ExpirationModel (string) --
Specifies whether the CMK's key material expires. This value is present only when Origin is EXTERNAL , otherwise this value is omitted.
KeyManager (string) --
The CMK's manager. CMKs are either customer-managed or AWS-managed. For more information about the difference, see Customer Master Keys in the AWS Key Management Service Developer Guide .
{'KeyMetadata': {'CloudHsmClusterId': 'string', 'CustomKeyStoreId': 'string', 'KeyState': ['Unavailable'], 'Origin': ['AWS_CLOUDHSM']}}
Provides detailed information about the specified customer master key (CMK).
If you use DescribeKey on a predefined AWS alias, that is, an AWS alias with no key ID, AWS KMS associates the alias with an AWS managed CMK and returns its KeyId and Arn in the response.
To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
See also: AWS API Documentation
Request Syntax
client.describe_key( KeyId='string', GrantTokens=[ 'string', ] )
string
[REQUIRED]
Describes the specified customer master key (CMK).
If you specify a predefined AWS alias (an AWS alias with no key ID), KMS associates the alias with an AWS managed CMK and returns its KeyId and Arn in the response.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey . To get the alias name and alias ARN, use ListAliases .
list
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .
(string) --
dict
Response Syntax
{ 'KeyMetadata': { 'AWSAccountId': 'string', 'KeyId': 'string', 'Arn': 'string', 'CreationDate': datetime(2015, 1, 1), 'Enabled': True|False, 'Description': 'string', 'KeyUsage': 'ENCRYPT_DECRYPT', 'KeyState': 'Enabled'|'Disabled'|'PendingDeletion'|'PendingImport'|'Unavailable', 'DeletionDate': datetime(2015, 1, 1), 'ValidTo': datetime(2015, 1, 1), 'Origin': 'AWS_KMS'|'EXTERNAL'|'AWS_CLOUDHSM', 'CustomKeyStoreId': 'string', 'CloudHsmClusterId': 'string', 'ExpirationModel': 'KEY_MATERIAL_EXPIRES'|'KEY_MATERIAL_DOES_NOT_EXPIRE', 'KeyManager': 'AWS'|'CUSTOMER' } }
Response Structure
(dict) --
KeyMetadata (dict) --
Metadata associated with the key.
AWSAccountId (string) --
The twelve-digit account ID of the AWS account that owns the CMK.
KeyId (string) --
The globally unique identifier for the CMK.
Arn (string) --
The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management Service (AWS KMS) in the Example ARNs section of the AWS General Reference .
CreationDate (datetime) --
The date and time when the CMK was created.
Enabled (boolean) --
Specifies whether the CMK is enabled. When KeyState is Enabled this value is true, otherwise it is false.
Description (string) --
The description of the CMK.
KeyUsage (string) --
The cryptographic operations for which you can use the CMK. Currently the only allowed value is ENCRYPT_DECRYPT , which means you can use the CMK for the Encrypt and Decrypt operations.
KeyState (string) --
The state of the CMK.
For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide .
DeletionDate (datetime) --
The date and time after which AWS KMS deletes the CMK. This value is present only when KeyState is PendingDeletion .
ValidTo (datetime) --
The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. This value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES , otherwise this value is omitted.
Origin (string) --
The source of the CMK's key material. When this value is AWS_KMS , AWS KMS created the key material. When this value is EXTERNAL , the key material was imported from your existing key management infrastructure or the CMK lacks key material. When this value is AWS_CLOUDHSM , the key material was created in the AWS CloudHSM cluster associated with a custom key store.
CustomKeyStoreId (string) --
A unique identifier for the custom key store that contains the CMK. This value is present only when the CMK is created in a custom key store.
CloudHsmClusterId (string) --
The cluster ID of the AWS CloudHSM cluster that contains the key material for the CMK. When you create a CMK in a custom key store , AWS KMS creates the key material for the CMK in the associated AWS CloudHSM cluster. This value is present only when the CMK is created in a custom key store.
ExpirationModel (string) --
Specifies whether the CMK's key material expires. This value is present only when Origin is EXTERNAL , otherwise this value is omitted.
KeyManager (string) --
The CMK's manager. CMKs are either customer-managed or AWS-managed. For more information about the difference, see Customer Master Keys in the AWS Key Management Service Developer Guide .
{'CustomKeyStoreId': 'string'}
Returns a random byte string that is cryptographically secure.
By default, the random byte string is generated in AWS KMS. To generate the byte string in the AWS CloudHSM cluster that is associated with a custom key store , specify the custom key store ID.
For more information about entropy and random number generation, see the AWS Key Management Service Cryptographic Details whitepaper.
See also: AWS API Documentation
Request Syntax
client.generate_random( NumberOfBytes=123, CustomKeyStoreId='string' )
integer
The length of the byte string.
string
Generates the random byte string in the AWS CloudHSM cluster that is associated with the specified custom key store . To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
dict
Response Syntax
{ 'Plaintext': b'bytes' }
Response Structure
(dict) --
Plaintext (bytes) --
The random byte string. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.