# AWS::KMS::Key
The AWS::KMS::Key resource specifies an AWS KMS key in AWS Key Management Service (AWS KMS). Authorized users can use the AWS KMS key to encrypt and decrypt small amounts of data (up to 4096 bytes), but they are more commonly used to generate data keys. You can also use AWS KMS keys to encrypt data stored in AWS services that are integrated with AWS KMS or within their applications.
## Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
### JSON
{
"Type" : "AWS::KMS::Key",
"Properties" : {
"BypassPolicyLockoutSafetyCheck" : Boolean,
"Description" : String,
"Enabled" : Boolean,
"EnableKeyRotation" : Boolean,
"KeyPolicy" : Map, String,
"KeyUsage" : String,
"Origin" : String,
"KeySpec" : String,
"MultiRegion" : Boolean,
"PendingWindowInDays" : Integer,
"Tags" : [ Tag, ... ],
}
}
### YAML
Type: AWS::KMS::Key
Properties:
BypassPolicyLockoutSafetyCheck" : Boolean,
Description: String
Enabled: Boolean
EnableKeyRotation: Boolean
KeyPolicy: Map, String
KeyUsage: String
Origin: String
KeySpec: String
MultiRegion: Boolean
PendingWindowInDays: Integer
Tags:
- Tag
## Properties
#### BypassPolicyLockoutSafetyCheck
To bypass the policy lockout safety check.Default value is false.
_Required_: No
_Type_: Boolean
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
#### Description
A description of the AWS KMS key. Use a description that helps you to distinguish this AWS KMS key from others in the account, such as its intended use.
_Required_: No
_Type_: String
_Maximum_: 8192
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
#### Enabled
Specifies whether the AWS KMS key is enabled. Disabled AWS KMS keys cannot be used in cryptographic operations.
_Required_: No
_Type_: Boolean
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
#### EnableKeyRotation
Enables automatic rotation of the key material for the specified AWS KMS key. By default, automation key rotation is not enabled.
_Required_: No
_Type_: Boolean
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
#### KeyPolicy
The key policy that authorizes use of the AWS KMS key. The default value is
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn::iam:::root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
_Required_: No
_Type_: Map, String
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
#### KeyUsage
Determines the cryptographic operations for which you can use the AWS KMS key. The default value is ENCRYPT_DECRYPT. This property is required only for asymmetric AWS KMS keys. You can't change the KeyUsage value after the AWS KMS key is created.
_Required_: No
_Type_: String
_Allowed Values_: ENCRYPT_DECRYPT | SIGN_VERIFY | GENERATE_VERIFY_MAC
_Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
#### Origin
The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that AWS KMS creates the key material.
_Required_: No
_Type_: String
_Allowed Values_: AWS_KMS | EXTERNAL
_Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacemnet)
#### KeySpec
Specifies the type of AWS KMS key to create. The default value is SYMMETRIC_DEFAULT. This property is required only for asymmetric AWS KMS keys. You can't change the KeySpec value after the AWS KMS key is created.
_Required_: No
_Type_: String
_Allowed Values_: SYMMETRIC_DEFAULT | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 | ECC_NIST_P521 | ECC_SECG_P256K1 | HMAC_224 | HMAC_256 | HMAC_384 | HMAC_512 | SM2
_Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
#### MultiRegion
Specifies whether the AWS KMS key should be Multi-Region. You can't change the MultiRegion value after the AWS KMS key is created.
_Required_: No
_Type_: Boolean
_Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
#### PendingWindowInDays
Specifies the number of days in the waiting period before AWS KMS deletes an AWS KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.
_Required_: No
_Type_: Integer
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
#### Tags
An array of key-value pairs to apply to this resource.
_Required_: No
_Type_: List of Tag
_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
## Return Values
### Ref
When you pass the logical ID of this resource to the intrinsic `Ref` function, Ref returns the KeyId.
### Fn::GetAtt
The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the `Fn::GetAtt` intrinsic function, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html).
#### Arn
Returns the Arn value.
#### KeyId
Returns the KeyId value.