/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.KeyManagementService.Model
{
///
/// Container for the parameters to the CreateKey operation.
/// Creates a unique customer managed KMS
/// key in your Amazon Web Services account and Region. You can use a KMS key in cryptographic
/// operations, such as encryption and signing. Some Amazon Web Services services let
/// you use KMS keys that you create and manage to protect your service resources.
///
///
///
/// A KMS key is a logical representation of a cryptographic key. In addition to the key
/// material used in cryptographic operations, a KMS key includes metadata, such as the
/// key ID, key policy, creation date, description, and key state. For details, see Managing
/// keys in the Key Management Service Developer Guide
///
///
///
/// Use the parameters of CreateKey to specify the type of KMS key, the source
/// of its key material, its key policy, description, tags, and other properties.
///
///
///
/// KMS has replaced the term customer master key (CMK) with KMS key and
/// KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping
/// some variations of this term.
///
///
///
/// To create different types of KMS keys, use the following guidance:
///
/// - Symmetric encryption KMS key
-
///
/// By default,
CreateKey creates a symmetric encryption KMS key with key
/// material that KMS generates. This is the basic and most widely used type of KMS key,
/// and provides the best performance.
///
///
///
/// To create a symmetric encryption KMS key, you don't need to specify any parameters.
/// The default value for KeySpec, SYMMETRIC_DEFAULT, the default
/// value for KeyUsage, ENCRYPT_DECRYPT, and the default value
/// for Origin, AWS_KMS, create a symmetric encryption KMS key
/// with KMS key material.
///
///
///
/// If you need a key for basic encryption and decryption or you are creating a KMS key
/// to protect your resources in an Amazon Web Services service, create a symmetric encryption
/// KMS key. The key material in a symmetric encryption key never leaves KMS unencrypted.
/// You can use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096
/// bytes, but they are typically used to generate data keys and data keys pairs. For
/// details, see GenerateDataKey and GenerateDataKeyPair.
///
///
///
///
///
/// - Asymmetric KMS keys
-
///
/// To create an asymmetric KMS key, use the
KeySpec parameter to specify
/// the type of key material in the KMS key. Then, use the KeyUsage parameter
/// to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
/// You can't change these properties after the KMS key is created.
///
///
///
/// Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an
/// SM2 key pair (China Regions only). The private key in an asymmetric KMS key never
/// leaves KMS unencrypted. However, you can use the GetPublicKey operation to
/// download the public key so it can be used outside of KMS. KMS keys with RSA or SM2
/// key pairs can be used to encrypt or decrypt data or sign and verify messages (but
/// not both). KMS keys with ECC key pairs can be used only to sign and verify messages.
/// For information about asymmetric KMS keys, see Asymmetric
/// KMS keys in the Key Management Service Developer Guide.
///
///
///
///
///
/// - HMAC KMS key
-
///
/// To create an HMAC KMS key, set the
KeySpec parameter to a key spec value
/// for HMAC KMS keys. Then set the KeyUsage parameter to GENERATE_VERIFY_MAC.
/// You must set the key usage even though GENERATE_VERIFY_MAC is the only
/// valid key usage value for HMAC KMS keys. You can't change these properties after the
/// KMS key is created.
///
///
///
/// HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC
/// keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for
/// messages up to 4096 bytes.
///
///
///
///
///
/// - Multi-Region primary keys
- Imported key material
-
///
/// To create a multi-Region primary key in the local Amazon Web Services Region,
/// use the
MultiRegion parameter with a value of True. To create
/// a multi-Region replica key, that is, a KMS key with the same key ID and key
/// material as a primary key, but in a different Amazon Web Services Region, use the
/// ReplicateKey operation. To change a replica key to a primary key, and its primary
/// key to a replica key, use the UpdatePrimaryRegion operation.
///
///
///
/// You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption
/// KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric signing KMS
/// keys. You can also create multi-Region keys with imported key material. However, you
/// can't create multi-Region keys in a custom key store.
///
///
///
/// This operation supports multi-Region keys, an KMS feature that lets you create
/// multiple interoperable KMS keys in different Amazon Web Services Regions. Because
/// these KMS keys have the same key ID, key material, and other metadata, you can use
/// them interchangeably to encrypt data in one Amazon Web Services Region and decrypt
/// it in a different Amazon Web Services Region without re-encrypting the data or making
/// a cross-Region call. For more information about multi-Region keys, see Multi-Region
/// keys in KMS in the Key Management Service Developer Guide.
///
///
///
///
///
/// -
///
/// To import your own key material into a KMS key, begin by creating a KMS key with no
/// key material. To do this, use the
Origin parameter of CreateKey
/// with a value of EXTERNAL. Next, use GetParametersForImport operation
/// to get a public key and import token. Use the wrapping public key to encrypt your
/// key material. Then, use ImportKeyMaterial with your import token to import
/// the key material. For step-by-step instructions, see Importing
/// Key Material in the Key Management Service Developer Guide .
///
///
///
/// You can import key material into KMS keys of all supported KMS key types: symmetric
/// encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric
/// signing KMS keys. You can also create multi-Region keys with imported key material.
/// However, you can't import key material into a KMS key in a custom key store.
///
///
///
/// To create a multi-Region primary key with imported key material, use the Origin
/// parameter of CreateKey with a value of EXTERNAL and the
/// MultiRegion parameter with a value of True. To create replicas
/// of the multi-Region primary key, use the ReplicateKey operation. For instructions,
/// see Importing key material into multi-Region keys. For more information about multi-Region
/// keys, see Multi-Region
/// keys in KMS in the Key Management Service Developer Guide.
///
///
///
///
///
/// - Custom key store
-
///
/// A custom
/// key store lets you protect your Amazon Web Services resources using keys in a
/// backing key store that you own and manage. When you request a cryptographic operation
/// with a KMS key in a custom key store, the operation is performed in the backing key
/// store using its cryptographic keys.
///
///
///
/// KMS supports CloudHSM
/// key stores backed by an CloudHSM cluster and external
/// key stores backed by an external key manager outside of Amazon Web Services. When
/// you create a KMS key in an CloudHSM key store, KMS generates an encryption key in
/// the CloudHSM cluster and associates it with the KMS key. When you create a KMS key
/// in an external key store, you specify an existing encryption key in the external key
/// manager.
///
///
///
/// Some external key managers provide a simpler method for creating a KMS key in an external
/// key store. For details, see your external key manager documentation.
///
///
///
/// Before you create a KMS key in a custom key store, the
ConnectionState
/// of the key store must be CONNECTED. To connect the custom key store,
/// use the ConnectCustomKeyStore operation. To find the ConnectionState,
/// use the DescribeCustomKeyStores operation.
///
///
///
/// To create a KMS key in a custom key store, use the CustomKeyStoreId.
/// Use the default KeySpec value, SYMMETRIC_DEFAULT, and the
/// default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric
/// encryption key. No other key type is supported in a custom key store.
///
///
///
/// To create a KMS key in an CloudHSM
/// key store, use the Origin parameter with a value of AWS_CLOUDHSM.
/// The CloudHSM cluster that is associated with the custom key store must have at least
/// two active HSMs in different Availability Zones in the Amazon Web Services Region.
///
///
///
/// To create a KMS key in an external
/// key store, use the Origin parameter with a value of EXTERNAL_KEY_STORE
/// and an XksKeyId parameter that identifies an existing external key.
///
///
///
/// Some external key managers provide a simpler method for creating a KMS key in an external
/// key store. For details, see your external key manager documentation.
///
///
///
/// Cross-account use: No. You cannot use this operation to create a KMS key in
/// a different Amazon Web Services account.
///
///
///
/// Required permissions: kms:CreateKey
/// (IAM policy). To use the Tags parameter, kms:TagResource
/// (IAM policy). For examples and information about related permissions, see Allow
/// a user to create KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Related operations:
///
///
///
public partial class CreateKeyRequest : AmazonKeyManagementServiceRequest
{
private bool? _bypassPolicyLockoutSafetyCheck;
private CustomerMasterKeySpec _customerMasterKeySpec;
private string _customKeyStoreId;
private string _description;
private KeySpec _keySpec;
private KeyUsageType _keyUsage;
private bool? _multiRegion;
private OriginType _origin;
private string _policy;
private List _tags = new List();
private string _xksKeyId;
///
/// Gets and sets the property BypassPolicyLockoutSafetyCheck.
///
/// Skips ("bypasses") the key policy lockout safety check. The default value is false.
///
///
///
/// Setting this value to true increases the risk that the KMS key becomes unmanageable.
/// Do not set this value to true indiscriminately.
///
///
///
/// For more information, see Default
/// key policy in the Key Management Service Developer Guide.
///
///
///
/// Use this parameter only when you intend to prevent the principal that is making the
/// request from making a subsequent PutKeyPolicy request on the KMS key.
///
///
public bool BypassPolicyLockoutSafetyCheck
{
get { return this._bypassPolicyLockoutSafetyCheck.GetValueOrDefault(); }
set { this._bypassPolicyLockoutSafetyCheck = value; }
}
// Check to see if BypassPolicyLockoutSafetyCheck property is set
internal bool IsSetBypassPolicyLockoutSafetyCheck()
{
return this._bypassPolicyLockoutSafetyCheck.HasValue;
}
///
/// Gets and sets the property CustomerMasterKeySpec.
///
/// Instead, use the KeySpec parameter.
///
///
///
/// The KeySpec and CustomerMasterKeySpec parameters work the
/// same way. Only the names differ. We recommend that you use KeySpec parameter
/// in your code. However, to avoid breaking changes, KMS supports both parameters.
///
///
[Obsolete("This parameter has been deprecated. Instead, use the KeySpec parameter.")]
public CustomerMasterKeySpec CustomerMasterKeySpec
{
get { return this._customerMasterKeySpec; }
set { this._customerMasterKeySpec = value; }
}
// Check to see if CustomerMasterKeySpec property is set
internal bool IsSetCustomerMasterKeySpec()
{
return this._customerMasterKeySpec != null;
}
///
/// Gets and sets the property CustomKeyStoreId.
///
/// Creates the KMS key in the specified custom
/// key store. The ConnectionState of the custom key store must be CONNECTED.
/// To find the CustomKeyStoreID and ConnectionState use the DescribeCustomKeyStores
/// operation.
///
///
///
/// This parameter is valid only for symmetric encryption KMS keys in a single Region.
/// You cannot create any other type of KMS key in a custom key store.
///
///
///
/// When you create a KMS key in an CloudHSM key store, KMS generates a non-exportable
/// 256-bit symmetric key in its associated CloudHSM cluster and associates it with the
/// KMS key. When you create a KMS key in an external key store, you must use the XksKeyId
/// parameter to specify an external key that serves as key material for the KMS key.
///
///
[AWSProperty(Min=1, Max=64)]
public string CustomKeyStoreId
{
get { return this._customKeyStoreId; }
set { this._customKeyStoreId = value; }
}
// Check to see if CustomKeyStoreId property is set
internal bool IsSetCustomKeyStoreId()
{
return this._customKeyStoreId != null;
}
///
/// Gets and sets the property Description.
///
/// A description of the KMS key. Use a description that helps you decide whether the
/// KMS key is appropriate for a task. The default value is an empty string (no description).
///
///
///
/// Do not include confidential or sensitive information in this field. This field may
/// be displayed in plaintext in CloudTrail logs and other output.
///
///
///
/// To set or change the description after the key is created, use UpdateKeyDescription.
///
///
[AWSProperty(Min=0, Max=8192)]
public string Description
{
get { return this._description; }
set { this._description = value; }
}
// Check to see if Description property is set
internal bool IsSetDescription()
{
return this._description != null;
}
///
/// Gets and sets the property KeySpec.
///
/// Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT,
/// creates a KMS key with a 256-bit AES-GCM key that is used for encryption and decryption,
/// except in China Regions, where it creates a 128-bit symmetric key that uses SM4 encryption.
/// For help choosing a key spec for your KMS key, see Choosing
/// a KMS key type in the Key Management Service Developer Guide .
///
///
///
/// The KeySpec determines whether the KMS key contains a symmetric key or
/// an asymmetric key pair. It also determines the algorithms that the KMS key supports.
/// You can't change the KeySpec after the KMS key is created. To further
/// restrict the algorithms that can be used with the KMS key, use a condition key in
/// its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm,
/// kms:MacAlgorithm
/// or kms:Signing
/// Algorithm in the Key Management Service Developer Guide .
///
///
///
/// Amazon Web
/// Services services that are integrated with KMS use symmetric encryption KMS keys
/// to protect your data. These services do not support asymmetric KMS keys or HMAC KMS
/// keys.
///
///
///
/// KMS supports the following key specs for KMS keys:
///
/// -
///
/// Symmetric encryption key (default)
///
///
-
///
///
SYMMETRIC_DEFAULT
///
///
-
///
/// HMAC keys (symmetric)
///
///
-
///
///
HMAC_224
///
/// -
///
///
HMAC_256
///
/// -
///
///
HMAC_384
///
/// -
///
///
HMAC_512
///
///
-
///
/// Asymmetric RSA key pairs
///
///
-
///
///
RSA_2048
///
/// -
///
///
RSA_3072
///
/// -
///
///
RSA_4096
///
///
-
///
/// Asymmetric NIST-recommended elliptic curve key pairs
///
///
-
///
///
ECC_NIST_P256 (secp256r1)
///
/// -
///
///
ECC_NIST_P384 (secp384r1)
///
/// -
///
///
ECC_NIST_P521 (secp521r1)
///
///
-
///
/// Other asymmetric elliptic curve key pairs
///
///
-
///
///
ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
///
///
-
///
/// SM2 key pairs (China Regions only)
///
///
///
public KeySpec KeySpec
{
get { return this._keySpec; }
set { this._keySpec = value; }
}
// Check to see if KeySpec property is set
internal bool IsSetKeySpec()
{
return this._keySpec != null;
}
///
/// Gets and sets the property KeyUsage.
///
/// Determines the cryptographic
/// operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT.
/// This parameter is optional when you are creating a symmetric encryption KMS key; otherwise,
/// it is required. You can't change the KeyUsage value after the KMS key
/// is created.
///
///
///
/// Select only one valid value.
///
/// -
///
/// For symmetric encryption KMS keys, omit the parameter or specify
ENCRYPT_DECRYPT.
///
/// -
///
/// For HMAC KMS keys (symmetric), specify
GENERATE_VERIFY_MAC.
///
/// -
///
/// For asymmetric KMS keys with RSA key material, specify
ENCRYPT_DECRYPT
/// or SIGN_VERIFY.
///
/// -
///
/// For asymmetric KMS keys with ECC key material, specify
SIGN_VERIFY.
///
/// -
///
/// For asymmetric KMS keys with SM2 key material (China Regions only), specify
ENCRYPT_DECRYPT
/// or SIGN_VERIFY.
///
///
///
public KeyUsageType KeyUsage
{
get { return this._keyUsage; }
set { this._keyUsage = value; }
}
// Check to see if KeyUsage property is set
internal bool IsSetKeyUsage()
{
return this._keyUsage != null;
}
///
/// Gets and sets the property MultiRegion.
///
/// Creates a multi-Region primary key that you can replicate into other Amazon Web Services
/// Regions. You cannot change this value after you create the KMS key.
///
///
///
/// For a multi-Region key, set this parameter to True. For a single-Region
/// KMS key, omit this parameter or set it to False. The default value is
/// False.
///
///
///
/// This operation supports multi-Region keys, an KMS feature that lets you create
/// multiple interoperable KMS keys in different Amazon Web Services Regions. Because
/// these KMS keys have the same key ID, key material, and other metadata, you can use
/// them interchangeably to encrypt data in one Amazon Web Services Region and decrypt
/// it in a different Amazon Web Services Region without re-encrypting the data or making
/// a cross-Region call. For more information about multi-Region keys, see Multi-Region
/// keys in KMS in the Key Management Service Developer Guide.
///
///
///
/// This value creates a primary key, not a replica. To create a replica key,
/// use the ReplicateKey operation.
///
///
///
/// You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region
/// key with imported key material. However, you cannot create a multi-Region key in a
/// custom key store.
///
///
public bool MultiRegion
{
get { return this._multiRegion.GetValueOrDefault(); }
set { this._multiRegion = value; }
}
// Check to see if MultiRegion property is set
internal bool IsSetMultiRegion()
{
return this._multiRegion.HasValue;
}
///
/// Gets and sets the property Origin.
///
/// The source of the key material for the KMS key. You cannot change the origin after
/// you create the KMS key. The default is AWS_KMS, which means that KMS
/// creates the key material.
///
///
///
/// To create
/// a KMS key with no key material (for imported key material), set this value to
/// EXTERNAL. For more information about importing key material into KMS,
/// see Importing
/// Key Material in the Key Management Service Developer Guide. The EXTERNAL
/// origin value is valid only for symmetric KMS keys.
///
///
///
/// To create
/// a KMS key in an CloudHSM key store and create its key material in the associated
/// CloudHSM cluster, set this value to AWS_CLOUDHSM. You must also use the
/// CustomKeyStoreId parameter to identify the CloudHSM key store. The KeySpec
/// value must be SYMMETRIC_DEFAULT.
///
///
///
/// To create
/// a KMS key in an external key store, set this value to EXTERNAL_KEY_STORE.
/// You must also use the CustomKeyStoreId parameter to identify the external
/// key store and the XksKeyId parameter to identify the associated external
/// key. The KeySpec value must be SYMMETRIC_DEFAULT.
///
///
public OriginType Origin
{
get { return this._origin; }
set { this._origin = value; }
}
// Check to see if Origin property is set
internal bool IsSetOrigin()
{
return this._origin != null;
}
///
/// Gets and sets the property Policy.
///
/// The key policy to attach to the KMS key.
///
///
///
/// If you provide a key policy, it must meet the following criteria:
///
/// -
///
/// The key policy must allow the calling principal to make a subsequent
PutKeyPolicy
/// request on the KMS key. This reduces the risk that the KMS key becomes unmanageable.
/// For more information, see Default
/// key policy in the Key Management Service Developer Guide. (To omit this
/// condition, set BypassPolicyLockoutSafetyCheck to true.)
///
/// -
///
/// Each statement in the key policy must contain one or more principals. The principals
/// in the key policy must exist and be visible to KMS. When you create a new Amazon Web
/// Services principal, you might need to enforce a delay before including the new principal
/// in a key policy because the new principal might not be immediately visible to KMS.
/// For more information, see Changes
/// that I make are not always immediately visible in the Amazon Web Services Identity
/// and Access Management User Guide.
///
///
///
/// If you do not provide a key policy, KMS attaches a default key policy to the KMS key.
/// For more information, see Default
/// key policy in the Key Management Service Developer Guide.
///
///
///
/// The key policy size quota is 32 kilobytes (32768 bytes).
///
///
///
/// For help writing and formatting a JSON policy document, see the IAM
/// JSON Policy Reference in the Identity and Access Management User Guide
/// .
///
///
[AWSProperty(Min=1, Max=131072)]
public string Policy
{
get { return this._policy; }
set { this._policy = value; }
}
// Check to see if Policy property is set
internal bool IsSetPolicy()
{
return this._policy != null;
}
///
/// Gets and sets the property Tags.
///
/// Assigns one or more tags to the KMS key. Use this parameter to tag the KMS key when
/// it is created. To tag an existing KMS key, use the TagResource operation.
///
///
///
/// Do not include confidential or sensitive information in this field. This field may
/// be displayed in plaintext in CloudTrail logs and other output.
///
///
///
/// Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details,
/// see ABAC
/// for KMS in the Key Management Service Developer Guide.
///
///
///
/// To use this parameter, you must have kms:TagResource
/// permission in an IAM policy.
///
///
///
/// Each tag consists of a tag key and a tag value. Both the tag key and the tag value
/// are required, but the tag value can be an empty (null) string. You cannot have more
/// than one tag on a KMS key with the same tag key. If you specify an existing tag key
/// with a different tag value, KMS replaces the current tag value with the specified
/// one.
///
///
///
/// When you add tags to an Amazon Web Services resource, Amazon Web Services generates
/// a cost allocation report with usage and costs aggregated by tags. Tags can also be
/// used to control access to a KMS key. For details, see Tagging
/// Keys.
///
///
public List Tags
{
get { return this._tags; }
set { this._tags = value; }
}
// Check to see if Tags property is set
internal bool IsSetTags()
{
return this._tags != null && this._tags.Count > 0;
}
///
/// Gets and sets the property XksKeyId.
///
/// Identifies the external
/// key that serves as key material for the KMS key in an external
/// key store. Specify the ID that the external
/// key store proxy uses to refer to the external key. For help, see the documentation
/// for your external key store proxy.
///
///
///
/// This parameter is required for a KMS key with an Origin value of EXTERNAL_KEY_STORE.
/// It is not valid for KMS keys with any other Origin value.
///
///
///
/// The external key must be an existing 256-bit AES symmetric encryption key hosted outside
/// of Amazon Web Services in an external key manager associated with the external key
/// store specified by the CustomKeyStoreId parameter. This key must be enabled
/// and configured to perform encryption and decryption. Each KMS key in an external key
/// store must use a different external key. For details, see Requirements
/// for a KMS key in an external key store in the Key Management Service Developer
/// Guide.
///
///
///
/// Each KMS key in an external key store is associated two backing keys. One is key material
/// that KMS generates. The other is the external key specified by this parameter. When
/// you use the KMS key in an external key store to encrypt data, the encryption operation
/// is performed first by KMS using the KMS key material, and then by the external key
/// manager using the specified external key, a process known as double encryption.
/// For details, see Double
/// encryption in the Key Management Service Developer Guide.
///
///
[AWSProperty(Min=1, Max=128)]
public string XksKeyId
{
get { return this._xksKeyId; }
set { this._xksKeyId = value; }
}
// Check to see if XksKeyId property is set
internal bool IsSetXksKeyId()
{
return this._xksKeyId != null;
}
}
}